Critical ‘RegPwn’ Vulnerability in Windows Registry Grants Attackers Full System Access
A significant security flaw, known as RegPwn and designated as CVE-2026-24291, has been identified in Windows operating systems. This elevation-of-privilege vulnerability enables users with minimal privileges to escalate their access to full SYSTEM-level control. The vulnerability was discovered by the MDSec red team, who have been utilizing it in internal security assessments since January 2025. Microsoft has since addressed the issue in a recent Patch Tuesday update.
Understanding the Vulnerability
The core of the RegPwn vulnerability lies in how Windows manages its built-in accessibility features, such as the On-Screen Keyboard and Narrator. These tools are designed to assist users in navigating the operating system and typically operate within the user’s context but with elevated integrity levels.
When a user initiates an accessibility tool like the On-Screen Keyboard, Windows generates a specific registry key to store its configuration settings. Notably, this registry key grants full control permissions to the user, even if they possess low-level privileges.
During the login process, these user-specific configurations are copied into the local machine registry hive by a system process. The critical issue arises because the newly created local machine registry key remains writable by the logged-in user, creating a potential avenue for exploitation.
Exploitation Mechanism
The vulnerability becomes particularly concerning when user-controlled settings interact with the Windows Secure Desktop environment. The Secure Desktop is an isolated environment used for tasks such as locking the workstation or prompting for administrator credentials. Only trusted processes running with SYSTEM privileges are permitted to execute within this environment.
An attacker can exploit this behavior by modifying their user-level accessibility registry key and placing an opportunistic lock (oplock) on a specific system file. When the user locks their workstation, the system attempts to copy the modified accessibility configurations into the local machine registry. The oplock induces a brief pause in this process, providing the attacker with a narrow window to act.
During this pause, the attacker can replace the local machine registry key with a symbolic link pointing to an arbitrary system registry key. Since the process performing the copy operation runs with SYSTEM privileges, the attacker can successfully write arbitrary values to highly restricted areas of the Windows registry.
In MDSec’s proof-of-concept demonstration, this technique was used to overwrite the execution path of a system service, resulting in immediate SYSTEM-level command prompt access.
Mitigation and Recommendations
Microsoft has addressed CVE-2026-24291 in its recent security updates. System administrators are strongly encouraged to apply the latest Windows updates promptly to protect their environments from this local privilege escalation vulnerability.
For security researchers and defensive teams, MDSec has made the RegPwn exploit code publicly available on GitHub for further study and analysis.
