PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-20931 Microsoft CVE debrief

A privilege escalation vulnerability in the Windows Telephony Service allows an authorized attacker with local access and adjacent network positioning to elevate privileges. The flaw stems from external control of file name or path (CWE-73), enabling a low-privileged attacker to achieve high-impact confidentiality, integrity, and availability compromises without user interaction. The vulnerability affects a broad range of Windows client and server operating systems, including legacy versions such as Windows Server 2008 and 2012 that no longer receive standard security updates. Microsoft has released patches addressing this vulnerability, with build numbers specified for supported versions. The CVSS 3.1 score of 8.0 reflects the high severity due to the potential for complete system compromise combined with relatively low attack complexity. Organizations should prioritize patching, particularly on systems where the Telephony Service is enabled and where adjacent network attackers may be present.

Vendor
Microsoft
Product
Windows 10 Version 1607
CVSS
HIGH 8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-13
Original CVE updated
2026-05-26
Advisory published
2026-01-13
Advisory updated
2026-05-26

Who should care

System administrators managing Windows endpoints and servers, security teams responsible for patch management programs, organizations with legacy Windows Server infrastructure, and defenders monitoring for privilege escalation activity in Windows environments.

Technical summary

The Windows Telephony Service contains a path traversal vulnerability allowing external control of file names or paths. An attacker with low privileges and adjacent network access can exploit this to execute arbitrary code with elevated privileges. The vulnerability affects Windows 10 versions 1607 through 22H2, Windows 11 versions 23H2 through 25H2, and Windows Server versions from 2008 through 2025. Attack complexity is low and no user interaction is required. The vulnerability is particularly concerning for legacy server versions that may require manual patching procedures.

Defensive priority

high

Recommended defensive actions

  • Apply Microsoft security updates for affected Windows versions, ensuring systems reach the specified build numbers or later
  • Review and restrict Telephony Service usage on systems where not required for business operations
  • Implement network segmentation to limit adjacent network attack vectors
  • Prioritize patching for Windows Server 2008, 2012, and other legacy systems that may lack automatic update mechanisms
  • Monitor for anomalous Telephony Service process activity and unexpected privilege escalations
  • Consult Microsoft Security Response Center guidance for deployment prioritization in enterprise environments

Evidence notes

The vulnerability is classified under CWE-73 (External Control of File Name or Path). Affected product versions are identified through NVD CPE criteria with specific build number cutoffs for patched versions. The CVSS vector indicates attack vector is adjacent network (AV:A), attack complexity is low (AC:L), privileges required are low (PR:L), no user interaction needed (UI:N), and scope is unchanged (S:U) with high impact across confidentiality, integrity, and availability (C:H/I:H/A:H).

Official resources

Microsoft disclosed this vulnerability on January 13, 2026, with subsequent modifications to the advisory on May 26, 2026. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog as of the source data date.