James Forshaw

**Name of the Vulnerable Software and Affected Versions** Windows versions (affected versions not specified) **Description** A flaw exists in the Winlogon login program of Windows operating systems related to incorrect handling of symbolic links during file access. Exploitation of this issue could allow an attacker to elevate their privileges. The issue involves improper link resolution before file access ('link following') in Winlogon, potentially allowing an authorized attacker to gain elevated privileges locally. Reports indicate a low-privilege attacker can achieve SYSTEM-level access without user interaction. This is considered a significant post-exploitation pathway. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows Accessibility Infrastructure (ATBroker.exe) (affected versions not specified) **Description** The issue concerns the insufficient protection of sensitive data within the Windows Accessibility Infrastructure (ATBroker.exe). Successful exploitation could allow an unauthorized actor to disclose information locally. The vulnerability allows attackers to obtain sensitive information and affect the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows versions prior to March 10, 2026 Patch Tuesday **Description** An improper permission assignment within the Windows Accessibility Infrastructure (ATBroker.exe) allows an authorized attacker to elevate privileges locally. The issue stems from insecure registry permissions, enabling a local user to overwrite values and execute arbitrary code with SYSTEM privileges. This flaw, dubbed "RegPwn" (CVE-2026-24291), targets accessibility features like the On-Screen Keyboard and Narrator. The vulnerability was exploited in Red Team engagements since January 2025. Exploitation involves manipulating a writable registry key associated with accessibility features, swapping it with a symbolic link pointing to a restricted system registry location. This allows the attacker to write arbitrary values to protected areas, ultimately gaining SYSTEM-level access. The vulnerability affects Windows 10, Windows 11, and Windows Server 2016/2019/2022. **Recommendations** Apply the March 10, 2026 Patch Tuesday update to address this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows (affected versions not specified) **Description** Improper access control in the Windows SMB Client, specifically within the `mrxsmb.sys` driver, allows an authorized or unauthenticated remote attacker to elevate privileges. The issue stems from weaknesses in authentication relaying, including NTLM reflection and Reflective Kerberos Relay attacks. Attackers can use authentication coercion techniques, such as forcing a request to a UNC path, to make a host connect to a malicious system. By manipulating `CREDENTIAL TARGET INFORMATIONW` and removing NTLM capabilities from SPNEGO to force Kerberos usage, an attacker can relay a Kerberos ticket back to the same host. This process allows the attacker to gain a session as the computer account (`DOMAINMACHINE$`) and ultimately escalate privileges to `NT AUTHORITYSYSTEM`, granting full control over the compromised device. Exploitation can occur via standard RPC and SMB services and may be triggered through social engineering or drive-by downloads. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows (affected versions not specified) **Description** The issue is related to an elevation-of-privilege vulnerability in the Windows Kernel, which is associated with insufficient access control. This vulnerability can be exploited by an attacker to elevate their privileges. The vulnerability is related to the File History Service and involves the `fhsvc.dll` and `CManagerThread::QueueBackupForLoggedOnUser`. It allows local Windows users to escalate privileges. The vulnerability was discovered by an independent researcher with SSD Secure Disclosure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Intel(R) Xeon(R) Processors (affected versions not specified) **Description** The issue concerns incorrect default permissions in some memory controller configurations for Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions. This may allow a privileged user to potentially enable escalation of privilege via local access. The vulnerability is related to Intel Microcode and is associated with default permission settings. Exploitation of the vulnerability could allow an attacker to access confidential data, compromise data integrity, and cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows HTTP.sys (affected versions not specified) **Description** The issue is related to an elevation-of-privilege vulnerability in the Windows HTTP.sys driver, which is associated with insufficient access restrictions. Exploitation of this issue may allow an attacker to elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows (affected versions not specified) **Description** The issue is related to errors in privilege management in the implementation of the Kerberos protocol in Windows operating systems. It allows a remote attacker to elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows Kerberos (affected versions not specified) **Description** The issue is related to errors in privilege management in the implementation of the Kerberos protocol in Windows operating systems. It allows a remote attacker to elevate their privileges. There is no information about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows Defender (affected versions not specified) **Description** The issue is related to a buffer overflow in memory, which can be exploited to elevate privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows Defender (affected versions not specified) **Description** The issue is related to errors in security settings, which can allow an attacker to bypass security restrictions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows Defender (affected versions not specified) **Description** The issue is related to a lack of protection for service data in Windows Defender, which could allow an attacker to gain unauthorized access to a device. It enables attackers to obtain sensitive information and affect the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows Defender (affected versions not specified) **Description** The issue is related to insufficient access restrictions in Windows Defender, which is part of the Windows operating system. This can allow an attacker to elevate their privileges. There is no information provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows Defender (affected versions not specified) **Description** The issue is related to insufficient access control in Windows Defender, which is part of the Windows operating system. It allows an attacker to elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows Defender (affected versions not specified) **Description** The issue is related to a security feature bypass in Windows Defender, allowing attackers to bypass the Kerberos authentication procedure. This could potentially enable an attacker to affect the system. The vulnerability is associated with errors in security settings. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows Defender (affected versions not specified) **Description** The issue is related to a lack of protection for sensitive data in Windows Defender, which could allow an attacker to obtain unauthorized access to protected information. This could potentially lead to the disclosure of sensitive information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows (affected versions not specified) **Description** The issue is related to an elevation-of-privilege vulnerability in Windows Credential Guard, which is associated with insecure privilege management. This vulnerability can be exploited to allow an attacker to elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows (affected versions not specified) **Description** The issue is related to the implementation of the Kerberos protocol in Windows operating systems, specifically due to insufficient access restrictions. This allows a remote attacker to potentially elevate their privileges. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows Local Security Authority Subsystem Service (LSASS) (affected versions not specified) **Description** The issue is related to insufficient access control in the Local Security Authority Subsystem Service (LSASS) of Windows operating systems. It allows an attacker to elevate their privileges. The vulnerability can be exploited to affect the system. There is an estimated elevation-of-privilege vulnerability that allows attackers to impact the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows (affected versions not specified) **Description** The issue is related to the implementation of the Kerberos protocol in Windows, specifically due to insufficient input validation. This allows a remote attacker to potentially execute arbitrary code, affecting the system. The vulnerability can be exploited by a remote attacker, leading to a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.