CVE-2026-20931

Q: What is the severity of CVE-2026-20931?

CVE-2026-20931 has a CVSS score of 8.0 (HIGH). This vulnerability in Windows Telephony Service allows an authorized attacker on the same network to manipulate file paths, potentially leading to privilege escalation. It affects Windows systems with the Telephony Service enabled. Attackers can leverage this to gain higher privileges on compromised systems.

8.0 HIGH

📋 TL;DR

This vulnerability in Windows Telephony Service allows an authorized attacker on the same network to manipulate file paths, potentially leading to privilege escalation. It affects Windows systems with the Telephony Service enabled. Attackers can leverage this to gain higher privileges on compromised systems.

💻 Affected Systems

Products:

Windows Telephony Service

Versions: Specific versions to be confirmed via Microsoft advisory

Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Telephony Service to be enabled and running. Many enterprise environments may have this service disabled by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, enabling lateral movement across the network and data exfiltration.

🟠

Likely Case

Local privilege escalation allowing attackers to execute arbitrary code with elevated permissions on affected systems.

🟢

If Mitigated

Limited impact with proper network segmentation and least privilege principles in place.

🌐 Internet-Facing: LOW - Requires network adjacency and authorized access, not directly exploitable from the internet.

🏢 Internal Only: HIGH - Exploitable by authorized internal users or compromised internal systems on the same network segment.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authorized network access and knowledge of vulnerable systems. Exploitation involves manipulating file paths to achieve privilege escalation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: To be determined from Microsoft's monthly security updates

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20931

Restart Required: Yes

Instructions:

1. Apply the latest Windows security updates from Microsoft. 2. Restart affected systems. 3. Verify the patch is installed via Windows Update history.

🔧 Temporary Workarounds

Disable Windows Telephony Service

windows

Disables the vulnerable service if not required for business operations

sc config TapiSrv start= disabled
sc stop TapiSrv

Network Segmentation

all

Restrict network access to systems running Telephony Service

🧯 If You Can't Patch

Implement strict network segmentation to isolate systems with Telephony Service
Apply principle of least privilege and monitor for unauthorized service modifications

🔍 How to Verify

Check if Vulnerable:

Check if Telephony Service is running: sc query TapiSrv | findstr STATE

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update KB number for CVE-2026-20931 is installed via: wmic qfe list | findstr KB

📡 Detection & Monitoring

Log Indicators:

Unexpected Telephony Service restarts
Unauthorized file path modifications in Telephony Service logs
Security event logs showing privilege escalation attempts

Network Indicators:

Unusual network traffic to/from Telephony Service ports
Lateral movement attempts from systems running Telephony Service

SIEM Query:

EventID=4688 AND ProcessName="*TapiSrv*" AND CommandLine="*..\\*" OR EventID=4697 AND ServiceName="TapiSrv"

📊 Metadata

CVE ID: CVE-2026-20931

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-73

EPSS Score: 2.22% exploit probability (84.1th percentile)

Published: January 13, 2026

Last Updated: January 16, 2026

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20931 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 25h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Windows Telephony Service

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities