Skip to content
Threat Feed
high advisory

CVE-2026-35436: Microsoft Office Click-To-Run Privilege Escalation

CVE-2026-35436 is a privilege escalation vulnerability in Microsoft Office Click-To-Run due to insufficient granularity of access control, allowing an authorized attacker to elevate privileges locally.

CVE-2026-35436 is a privilege escalation vulnerability affecting Microsoft Office Click-To-Run. The vulnerability stems from insufficient granularity of access control, which allows an authorized attacker to elevate their privileges on a local system. This could allow an attacker to perform actions with elevated permissions, potentially leading to unauthorized access to sensitive data, modification of system configurations, or execution of arbitrary code. Microsoft has released a security update to address this vulnerability. This vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity.

Attack Chain

  1. An attacker gains initial access to a system with an authorized, but limited, user account.
  2. The attacker identifies that the Microsoft Office Click-To-Run component has insufficient access control granularity.
  3. The attacker leverages this vulnerability to bypass intended access restrictions.
  4. The attacker manipulates the Click-To-Run component to perform actions normally restricted to higher-privileged users.
  5. This could involve modifying configuration files or accessing protected system resources.
  6. The attacker successfully elevates their privileges on the local system.
  7. With elevated privileges, the attacker can now access sensitive data, install malicious software, or modify system settings.

Impact

Successful exploitation of CVE-2026-35436 allows an attacker to elevate their privileges on a local system running Microsoft Office Click-To-Run. This could result in unauthorized access to sensitive data, modification of critical system configurations, or the installation and execution of malware. Given the wide deployment of Microsoft Office, this vulnerability could have a significant impact on organizations and individuals who do not apply the necessary security updates.

Recommendation

  • Apply the security update released by Microsoft to address CVE-2026-35436 immediately.
  • Monitor systems for suspicious process executions or configuration changes related to Microsoft Office Click-To-Run, using a process monitoring tool.
  • Implement the Sigma rules provided below to detect potential exploitation attempts.

Detection coverage 2

Detect CVE-2026-35436 Exploitation Attempt - Office Click-To-Run Privilege Escalation

high

Detects potential exploitation of CVE-2026-35436 by monitoring for suspicious process executions related to Microsoft Office Click-To-Run with unusual parent processes.

sigma tactics: privilege_escalation techniques: T1068 sources: process_creation, windows

Detect CVE-2026-35436 - Unauthorized Modification of Office Click-To-Run Configuration

medium

Detects unauthorized modifications to Microsoft Office Click-To-Run configuration files, potentially indicating CVE-2026-35436 exploitation.

sigma tactics: privilege_escalation techniques: T1547.001 sources: file_event, windows

Detection queries are available on the platform. Get full rules →