PoC Exploit Publicly Disclosed: ‘RegPwn’ Flaw Grants SYSTEM Access via Windows Accessibility

A newly discovered vulnerability, dubbed RegPwn, has pulled back the curtain on a significant security gap in the Windows Accessibility Infrastructure. Tracked as CVE-2026-24291, this local elevation of privilege (EoP) flaw allows an attacker with low-level access to completely take over a machine by gaining SYSTEM privileges.

The discovery, reported by security researcher Filip Dragovic, affects a vast range of operating systems, including Windows 10, 11, and every version of Windows Server from 2012 through 2025.

At the heart of RegPwn is the way Windows handles accessibility features like the Narrator or On-Screen Keyboard (osk.exe). These tools are designed to be accessible even on the “Secure Desktop”—the high-security environment you see when you lock your computer or encounter a UAC prompt.

The vulnerability stems from an “incorrect permission assignment for critical resource” within the Windows Accessibility Infrastructure process, ATBroker.exe. When a user interacts with accessibility settings, Windows creates a registry key that, unexpectedly, “grants full control to a low privilege user”.

The exploitation process relies on a chain of registry “copy” operations that occur when a Secure Desktop session is created. Because the system tries to ensure your accessibility preferences follow you to the lock screen, it moves data across different registry hives.

1. User Control: A low-privileged user modifies their own accessibility settings in HKEY_CURRENT_USER.
2. The High-Privilege Bridge: When the workstation is locked, ATBroker.exe—running as SYSTEM—copies these user-controlled values into a more sensitive area of the registry (HKLM).
3. The Redirection: By using registry symbolic links, an attacker can trick the system during this copy process. Instead of writing to an accessibility setting, the system is diverted into overwriting a critical system configuration.

As the report explains:

“As the… registry key is writable by the current user and the configuration values are copied from a user-controlled registry location, this behaviour can be abused to achieve an arbitrary registry key write in the context of SYSTEM“.

To successfully trigger the bug, an attacker uses an “opportunistic lock” (oplock) to win a tiny race condition. Once the lock is triggered, the exploit replaces the target registry key with a symbolic link pointing to a high-value target—such as the ImagePath of a system service like msiserver.

By overwriting this path with their own malicious code and then starting the service, the attacker achieves full execution as SYSTEM. The exploit code for this vulnerability is available here.

Microsoft addressed this critical flaw in the most recent Patch Tuesday. Security teams are urged to prioritize this update, as the vulnerability carries a CVSS score of 7.8, reflecting the high impact of local privilege escalation.