RegPwn: Windows Accessibility Infrastructure Registry Vulnerability Enables Full System Compromise
Microsoft's March 2026 Patch Tuesday addressed a high-severity elevation-of-privilege vulnerability in the Windows Accessibility Infrastructure component, ATBroker.exe, identified as CVE-2026-24291 and publicly dubbed "RegPwn." Discovered and weaponized by the MDSec red team during internal security engagements beginning as early as January 2025, this flaw allows any authenticated, low-privileged user on an affected Windows system to escalate their privileges to full SYSTEM-level access — the highest level of control on a Windows host. Microsoft has rated the vulnerability with a CVSS v3.1 score of 7.8 (HIGH).
The vulnerability stems from an incorrect permission assignment in the Windows Accessibility Infrastructure, classified under CWE-732. When a user launches built-in accessibility tools such as the On-Screen Keyboard or Narrator, Windows creates a per-user registry key granting the low-privileged user full control over that key's contents. An attacker exploits this by modifying their user-level accessibility registry key, inserting an opportunistic lock on a specific system file, and then locking their workstation. When the system attempts to copy the modified accessibility configuration into the HKLM (local machine) registry hive — a SYSTEM-privileged operation — the attacker swaps the target registry key with a symbolic link pointing to an arbitrary, highly-restricted system registry location. Because ATBroker.exe performs the copy operation under SYSTEM context without adequately validating the destination, the attacker achieves arbitrary writes to privileged registry keys, ultimately gaining SYSTEM-level access.
The risk posed by CVE-2026-24291 is compounded by the fact that MDSec publicly released a proof-of-concept exploit on GitHub following disclosure. While there is no currently documented exploitation by external threat actors, the public availability of a working exploit dramatically lowers the barrier for opportunistic attackers, insider threats, and adversaries who have already obtained an initial foothold on a system. Any organization running unpatched Windows 10 (versions 1809, 21H2, or 22H2), Windows 11 (versions 23H2, 24H2, 25H2, or 26H1), or Windows Server 2012 through 2019 should treat this as an urgent remediation priority.
Threats and Vulnerabilities
CVE-2026-24291, with a CVSS v3.1 score of 7.8 (HIGH), is a local privilege escalation vulnerability rooted in a time-of-check to time-of-use (TOCTOU) race condition within the Windows Assistive Technology Registration Broker (ATBroker.exe). The flaw exploits the fact that ATBroker.exe, running as SYSTEM, copies user-controlled registry data into the local machine hive without sufficiently verifying the integrity or authenticity of the destination registry path. By inserting an opportunistic lock and subsequently redirecting the destination to a symbolic link targeting a privileged registry key, an attacker with only standard user credentials can write arbitrary values into areas of the Windows registry that are normally accessible only to SYSTEM or administrative accounts. The resulting access enables an attacker to manipulate security configurations, disable defenses, create new administrative accounts, or stage further attack phases including lateral movement and data exfiltration. Microsoft addressed the vulnerability in the March 10, 2026 Patch Tuesday release by introducing additional integrity and authenticity verification checks in ATBroker's process validation routines. Affected product versions include Windows 10 (1809, 21H2, and 22H2), Windows 11 (23H2, 24H2, 25H2, and 26H1), and Windows Server 2012, 2012 R2, 2016, and 2019.
Client Impact
The operational impact of CVE-2026-24291 is significant for any organization where endpoints run one of the affected Windows versions. An attacker who has obtained a foothold through phishing, credential theft, or any other initial access vector can leverage this vulnerability to immediately escalate to SYSTEM privileges without requiring any additional credentials or administrator interaction. With SYSTEM-level access, an attacker can disable endpoint security tools, extract credentials from memory, exfiltrate sensitive data, install persistent backdoors, and move laterally across the network — dramatically expanding the blast radius of any breach. The public availability of MDSec's proof-of-concept exploit means that even unsophisticated actors can reliably weaponize this technique on unpatched systems.
From a compliance and governance perspective, organizations subject to frameworks such as NIST SP 800-53, CIS Controls, PCI DSS, or ISO 27001 face elevated risk posture if this patch is not applied promptly. Privilege escalation vulnerabilities that bypass access control boundaries directly implicate controls around least privilege, privileged access management, and endpoint hardening. Failure to remediate within vendor-recommended timelines may constitute a compliance deficiency and could increase liability exposure in the event of a breach traced to this vulnerability.
Mitigations
Organizations are strongly advised to take the following actions immediately to reduce exposure to CVE-2026-24291.
1. Apply the March 10, 2026 Microsoft Patch Tuesday security update to all affected Windows 10, Windows 11, and Windows Server systems as the highest-priority remediation step.
2. Prioritize patching for systems where standard user accounts are present alongside sensitive data or where those endpoints are joined to Active Directory environments, as SYSTEM access enables full domain-level credential extraction.
3. Audit endpoint detection and response (EDR) tooling to confirm that ATBroker.exe process activity and registry write operations to HKLM are being logged and monitored for anomalous behavior.
4. Review and enforce least-privilege policies to limit the number of user accounts with local logon access on sensitive or high-value systems, reducing the population of accounts that could leverage this technique.
5. Monitor GitHub and threat intelligence feeds for indicators of CVE-2026-24291 exploit code variants or modifications, as the public MDSec proof-of-concept may be adapted by threat actors.
Organizations that cannot immediately patch should consider implementing compensating controls including enhanced monitoring of registry write operations via Sysmon or equivalent tooling, and restricting execution of accessibility broker components in environments where they are not required.
1898 & Co. Response
1898 & Co. continuously monitors the threat landscape for newly disclosed vulnerabilities affecting enterprise Windows environments and assesses their relevance to client operations. Upon identification of CVE-2026-24291 and the associated RegPwn disclosure, our team evaluated the technical exploitation pathway, the implications of public proof-of-concept availability, and the affected Windows version scope to provide timely and actionable guidance to our clients. Our advisory process ensures that clients receive structured, context-rich briefings aligned with their specific operating environments and risk profiles.
Our Security Operations and Threat Intelligence teams maintain visibility into adversary campaigns and publicly disclosed exploit tools, enabling rapid triage when high-severity vulnerabilities receive broad disclosure as CVE-2026-24291 has. We integrate newly released detection guidance and patch intelligence into our monitoring frameworks, and we work with clients to validate that critical patches have been applied and that compensating controls are in place for systems where immediate patching is not operationally feasible. Our team has experience supporting both the detection engineering and incident response aspects of privilege escalation attacks in enterprise Windows environments.
1898 & Co. provides comprehensive vulnerability management advisory services, including patch prioritization support, EDR tuning, and threat hunt operations targeted at detecting exploitation of disclosed vulnerabilities. Clients seeking assistance with validating their patch posture, deploying detection signatures for CVE-2026-24291, or conducting a threat hunt for indicators of prior exploitation on their Windows estate are encouraged to contact their 1898 & Co. engagement team for immediate support.