MDSec researchers have revealed a new Windows vulnerability called "RegPwn" that lets attackers go from being a low-privileged user to having full SYSTEM access This article explores attacker use registry. . The problem, known as CVE-2026-24291, has to do with how Windows handles registry settings that are related to its built-in accessibility features.

An Overview of Vulnerabilities Windows Tools for accessibility, like Narrator and the On-Screen Keyboard, are meant to run in the user's session while keeping high integrity permissions. Windows stores configuration data in certain registry keys to help them work. Researchers found a problem with how these registry values are handled when switching between user and SYSTEM contexts. Errors in Process Execution (Source: MDSec) When you log in, Windows gives users write access to some registry keys in the Local Machine hive that are related to accessibility.

This behavior is meant to make things easier to use, but it can be risky when combined with how the operating system processes these settings later on with higher privileges. When Windows goes into the Secure Desktop environment, which is a separate mode used for sensitive tasks like locking workstations or showing User Account Control (UAC) prompts, the vulnerability happens. At this point, atbroker.exe runs twice: once as the user and once as the SYSTEM account.

These processes copy accessibility configuration data from user-controlled registry locations to SYSTEM registry keys that are protected. Because the user can write to the source registry path, attackers can change the data before it is copied.

An attacker can use registry symbolic links to make the SYSTEM process write controlled data to any registry location. For instance, the attacker could change the ImagePath of an important service like the Windows Installer so that they could run malicious code with SYSTEM privileges. To be successful, exploitation needs to happen at the right time.

The attack has to happen in a short amount of time while the registry copy is happening. MDSec researchers did this by putting opportunistic locks on XML files that were linked to accessibility features. These locks delay legitimate system operations, giving attackers enough time to replace registry keys with symbolic links targeting sensitive locations. This race-condition-style method makes exploitation much more reliable, even though it only works for a short time.

RegPwn is a big security risk because it lets someone with low-level access take over the whole system. MDSec said they used the flaw in red team engagements as early as January 2025, showing that it has real-world effects. In the March 2026 Patch Tuesday updates for Windows 10, Windows 11, and Windows Server, Microsoft fixed CVE-2026-24291.

The public release of proof-of-concept exploit code on GitHub does make it more likely that the exploit will be used. As part of their detection strategy, organizations should strongly advise that they apply the most recent security updates right away and keep an eye out for strange changes to the registry or SYSTEM-level processes. Make ZeroOwl your preferred source in Google.