Skip to content
Threat Feed
high advisory

CVE-2026-40420 - Microsoft Office Click-To-Run Improper Access Control Vulnerability

CVE-2026-40420 is an improper access control vulnerability in Microsoft Office Click-To-Run allowing an authorized attacker to elevate privileges locally.

CVE-2026-40420 is an improper access control vulnerability affecting Microsoft Office Click-To-Run. An authorized attacker who successfully exploits this vulnerability can elevate their privileges on the local system. The vulnerability stems from insufficient checks on user permissions during certain operations within the Click-To-Run component. Successful exploitation would allow the attacker to perform actions with higher privileges than intended, potentially leading to system compromise. This vulnerability impacts systems running vulnerable versions of Microsoft Office Click-To-Run. Defenders should apply the patch released by Microsoft to mitigate this risk.

Attack Chain

  1. An attacker gains initial access to the system with standard user privileges.
  2. The attacker identifies a vulnerable function within Microsoft Office Click-To-Run that is susceptible to improper access control.
  3. The attacker crafts a malicious payload or exploits a specific API call within Click-To-Run.
  4. The crafted payload bypasses the insufficient access control checks.
  5. The Click-To-Run component executes the attacker’s payload with elevated privileges.
  6. The attacker leverages the elevated privileges to perform unauthorized actions on the local system.
  7. The attacker escalates privileges further to gain SYSTEM level access.
  8. The attacker can then install software, modify data, or create new accounts with full administrative rights.

Impact

Successful exploitation of CVE-2026-40420 allows a local attacker to elevate privileges on a vulnerable system. This can lead to complete system compromise, including unauthorized data access, modification, or deletion, as well as the installation of malicious software. The vulnerability affects any system running a vulnerable version of Microsoft Office Click-To-Run.

Recommendation

  • Apply the security update provided by Microsoft to address CVE-2026-40420 as soon as possible; reference the Microsoft advisory for CVE-2026-40420.
  • Monitor process creations for unusual child processes spawned by Office Click-To-Run processes to identify potential privilege escalation attempts using the “Office Click-To-Run Suspicious Child Process” Sigma rule.
  • Enable process creation auditing to ensure that the relevant logs are available for detection and investigation.

Detection coverage 2

Office Click-To-Run Suspicious Child Process

high

Detects suspicious child processes spawned by Office Click-To-Run processes, which may indicate privilege escalation attempts related to CVE-2026-40420.

sigma tactics: privilege_escalation techniques: T1068, T1543.003 sources: process_creation, windows

Detect Office Click-To-Run elevated process creation

medium

Detects Office Click-To-Run creating processes as SYSTEM, indicating potential privilege escalation related to CVE-2026-40420

sigma tactics: privilege_escalation techniques: T1068, T1543.003 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →