iPurple Team's research shows that the SpeechRuntime.exe component, which is responsible for Windows speech recognition, can be abused to execute code in another user's context. With elevated privileges, an attacker can trigger command execution in an interactive session through a COM object — a technique known as Cross Session Activation.

Exploitation requires local access and sufficient permissions to interact with other users' sessions. As a result, the attacker can execute arbitrary code in the context of the active user, enabling low‑noise lateral movement within the domain.

📎 Article: https://ipurple.team/2026/04/07/microsoft-speech/

🛠 Tool: https://github.com/rtecCyberSec/SpeechRuntimeMove

💬 Discuss

Lateral Movement via Windows SpeechRuntime