Micropatches released for Windows Telephony Service Elevation of Privilege Vulnerability (CVE-2026-20931)

 January 2026 Windows Updates brought a patch for CVE-2026-20931,
a privilege escalation in Windows Telephony Service that allowed a remote low-privileged attacker to promote themselves to a service administrator, and then have the service execute their malicious code remotely. The
vulnerability was found and reported to Microsoft by Sergey Bliznyuk with Positive Technologies, who also published a detailed technical article that allowed us to reproduce the
issue and create patches for legacy Windows users. The Vulnerability In short, the vulnerability is caused by a missing security check to ensure the path the user wants to write to is actually a mailslot path, and not a path on file system. As a result, a local unprivileged user (or a remote one, if so configured) can overwrite any file writable by Network Service with arbitrary content. An obvious candidate for this is Telephone Service’s own tsec.ini file, which – among other things – defines service administrators.By overwriting this file, the attacker can turn themselves into Telephony Service administrator, and then have the service execute their malicious DLL using the newly-acquired power.  Microsoft’s PatchMicrosoft patched this issue by adding a check to ensure the user-requested path actually represents a mailslot. Our PatchOur patch is logically identical to Microsoft’s.Let’s
see our patch in action. First, with 0patch disabled, a low-privileged user runs the attack tool that instructs the Telephony Service to overwrite tsec.ini with some content (we used “test” for demonstration purposes). The attack succeeds.With 0patch enabled, however, the file can no longer be overwritten.
  Micropatch AvailabilityMicropatches were written for the following security-adopted Windows versions:Windows Server 2008 R2 – fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4Windows Server 2012 – fully updated with no ESU or ESU 1Windows Server 2012 R2 – fully updated with no ESU or ESU 1 Even though the Telephony Service exists on Windows 11, Windows 10 and Windows 7, we were unable to exploit this vulnerability there.Micropatches have already been distributed to, and applied on, all
affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). Vulnerabilities like these get discovered on a regular basis, and
attackers know about them all. If you’re using Windows that aren’t
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won’t be exploited on your computers – and you won’t
even have to know or care about these things. We’d like to thank Sergey Bliznyuk with Positive Technologies for sharing their detailed article, which allowed us to create patches for Windows versions that are no longer receiving official updates from Microsoft.If you’re new to 0patch, create a free account
in 0patch Central,
start a free trial, then install and register 0patch Agent. Everything
else will happen automatically. No computer reboot will be needed.Did
you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of
support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 
To learn more about 0patch, please visit our Help Center.  0patch BlogRead More