{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/accessibility/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["registry","symlink","race-condition","accessibility","privilege-escalation","persistence","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRegPwnBOF is an exploit leveraging a registry symlink race condition within the Windows Accessibility ATConfig mechanism. This vulnerability allows an unprivileged user to manipulate protected areas of the registry, specifically HKLM, which are typically reserved for administrators or system processes. By exploiting this race condition, an attacker can write arbitrary values to these protected keys. The initial report surfaced around March 2026, highlighting the potential for unauthorized persistence and privilege escalation. This circumvents standard Windows security controls, posing a significant risk to system integrity and confidentiality. The exploit\u0026rsquo;s accessibility to non-administrator users makes it particularly dangerous in environments where least-privilege principles are not strictly enforced.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged user initiates the ATConfig mechanism within the Windows Accessibility features.\u003c/li\u003e\n\u003cli\u003eThe exploit creates a registry symlink pointing to a protected HKLM key.\u003c/li\u003e\n\u003cli\u003eA race condition is triggered during the ATConfig process, allowing the exploit to bypass security checks.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this race condition to overwrite the target HKLM registry key with arbitrary data.\u003c/li\u003e\n\u003cli\u003eThe modified registry key is used to establish persistence, for example, by creating a Run key.\u003c/li\u003e\n\u003cli\u003eUpon system restart or user login, the malicious payload associated with the modified Run key is executed.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated privileges by executing code within the context of a privileged process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of RegPwnBOF allows an attacker to gain persistent access to a compromised system and escalate their privileges to administrator level. This can lead to complete system compromise, data theft, and the installation of malware. The impact is magnified by the fact that this exploit can be triggered by a normal user, bypassing traditional access controls. The number of potential victims is considerable, as the vulnerability exists within the Windows Accessibility features, which are enabled by default on many systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry modifications targeting HKLM keys, especially those related to Accessibility features, using a process_creation log source and the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and least-privilege principles to limit the ability of unprivileged users to interact with system-level configurations.\u003c/li\u003e\n\u003cli\u003eInvestigate any unusual registry symlink creation events using file_event logs, particularly those involving the ATConfig mechanism, to identify potential RegPwnBOF exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T05:23:44Z","date_published":"2026-03-19T05:23:44Z","id":"/briefs/2024-01-regpwnbof/","summary":"RegPwnBOF exploits a registry symlink race condition in the Windows Accessibility ATConfig mechanism, enabling a normal user to write arbitrary values to protected HKLM registry keys for persistence and privilege escalation.","title":"RegPwnBOF Registry Symlink Race Condition Exploit","url":"https://feed.craftedsignal.io/briefs/2024-01-regpwnbof/"}],"language":"en","title":"CraftedSignal Threat Feed — Accessibility","version":"https://jsonfeed.org/version/1.1"}