For over a year, a critical vulnerability lurking within the Windows accessibility mechanisms empowered malefactors to usurp absolute dominion over the operating system. This insidious flaw lay concealed within the ubiquitous On-Screen Keyboard, casting its shadow across virtually all supported iterations of the Windows architecture.
The cybersecurity vanguard at MDSec recently unveiled this privilege escalation anomaly, christened internally as “RegPwn.” Their specialists had aggressively weaponized this vulnerability during Red Team engagements since January 2025, clandestinely harboring the discovery within the enterprise’s confines. A restorative patch materialized only within the March security deployment for Windows. It is postulated that this tribulation is tracked under the cryptographic identifier CVE-2026-24291.
The architectural aberration afflicted Windows 10 and Windows 11, alongside a sweeping constellation of server editions encompassing Windows Server 2012, 2016, 2019, 2022, and 2025.
The genesis of this vulnerability is inextricably tethered to the Windows Ease of Access features, meticulously designed to assist denizens with physical limitations in navigating the digital ecosystem. This repertoire encompasses the Narrator, the On-Screen Keyboard, and auxiliary instruments. The labyrinthine configurations for these functionalities are entombed within the Windows Registry.
Upon a patron’s invocation of, for instance, the On-Screen Keyboard, the operating system spawns a registry hive harboring the application’s configurations, simultaneously endowing an unprivileged user with the authority to mutate the data nestled within. During the systemic authentication sequence, Windows mirrors these parameters from the user’s registry partition into the sacrosanct systemic hive. This delicate choreography is executed by the winlogon process.
The accessibility mechanism itself is ignited under the user’s auspices, yet it operates with an escalated integrity level, a privilege bestowed by a specialized accessibility interface flag. Superficially, this architectural design projects an aura of unassailable security. However, the catastrophic flaw unspools during the transition to the formidable Secure Desktop environment.
The Secure Desktop is summoned into existence when, for example, a patron locks their terminal or initiates an application demanding exalted administrative privileges. Within this cloistered enclave, solely venerated processes wielding absolute systemic authority are permitted to operate. Pedestrian user processes are categorically exiled from this sanctuary.
At the precise moment of the Secure Desktop’s genesis, twin atbroker.exe processes are ignited. One operates under the patron’s mandate, whilst its sibling executes under the supreme auspices of the SYSTEM account. Initially, the user-bound process ritually duplicates the accessibility configurations from the user’s registry hive into the systemic partition once more. Subsequently, the process endowed with SYSTEM supremacy exfiltrates these values further still, depositing them deep within the specific registry domain utilized by the On-Screen Keyboard.
Following this intricate ballet, the osk.exe process is summoned with absolute SYSTEM authority. The On-Screen Keyboard reads the configurations anew and inscribes the values back into the systemic registry hive—a partition that, fatally, remains susceptible to modification by an unprivileged user.
This convoluted mechanism unfurls a devastating vector for kinetic exploitation. Because the patron maintains dominion over the originating registry hive, they possess the power to counterfeit the target partition via a maliciously crafted registry symbolic link. Consequently, the profoundly privileged SYSTEM process is deceived into inscribing data into an entirely arbitrary, attacker-designated registry partition.
To weaponize this vulnerability, a digital marauder must merely seize the ephemeral temporal void separating the invocation of the On-Screen Keyboard and the definitive inscription of the data. To perfectly synchronize this nefarious operation, the assailant leverages an opportunistic file lock upon oskmenu.xml. The precise moment the system endeavors to access this file, the attacker substitutes the systemic registry hive with a symbolic link directing to their chosen target.
Within their demonstrative exploit, the forensic specialists maliciously overwrote the ImagePath parameter governing the msiserver service. Subsequently, they ignited the service via an MSI COM object. The operating system then obediently executes the maliciously specified path cloaked in the absolute authority of SYSTEM, thereby surrendering total, unadulterated control over the architecture to the attacker.
The restorative antidote for RegPwn debuted within the March Windows security deployment. Following the assimilation of this patch, the aforementioned labyrinthine choreography no longer permits the inscription of arbitrary values into the sovereign systemic registry.
