CVE-2024-26242
📋 TL;DR
CVE-2024-26242 is an elevation of privilege vulnerability in Windows Telephony Server that allows authenticated attackers to gain SYSTEM-level privileges. This affects Windows systems with the Telephony service enabled. Attackers need local access to exploit this vulnerability.
💻 Affected Systems
- Windows Telephony Server
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could execute arbitrary code with SYSTEM privileges, enabling complete system compromise, persistence installation, credential theft, and lateral movement.
Likely Case
An authenticated attacker could escalate privileges from a standard user account to SYSTEM, bypassing security controls and gaining full control over the affected system.
If Mitigated
With proper access controls and network segmentation, the impact is limited to the compromised host, though SYSTEM access still enables significant damage on that system.
🎯 Exploit Status
Requires local authenticated access. Exploitation likely involves calling vulnerable Telephony Server APIs with crafted parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: April 2024 security updates (KB5036893 for Windows 10, KB5036892 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26242
Restart Required: Yes
Instructions:
1. Apply April 2024 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS, SCCM, or Intune. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable Telephony Service
windowsDisables the vulnerable Telephony Server service to prevent exploitation
sc config TapiSrv start= disabled
sc stop TapiSrv
🧯 If You Can't Patch
- Implement strict access controls to limit who can log into affected systems
- Monitor for suspicious Telephony Server service activity and privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if Telephony service is running: sc query TapiSrv | findstr RUNNINGCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify April 2024 security updates are installed: wmic qfe list | findstr KB503689📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with Telephony Server process creation
- Unexpected SYSTEM privilege acquisition by user processes
- Telephony service crash or unexpected behavior
Network Indicators:
- None - this is a local privilege escalation
SIEM Query:
EventID=4688 AND (NewProcessName:*tapisrv* OR ParentProcessName:*tapisrv*)