📧 info@ciso.sa | 📱 +966550939344 | Riyadh, Kingdom of Saudi Arabia
About FAQ Contact Us Terms of Service Privacy Policy 🌐 العربية
🔐

Welcome — Sign in or create an account for full access.

🔑 Sign In ✨ Register
🌐 العربية Sign In Create Account
🔧 Scheduled Maintenance — Saturday 2:00-4:00 AM AST. Some features may be temporarily unavailable.    ●   
💎
Pro Plan 50% Off Unlock all AI features, unlimited reports, and priority support. Upgrade
Search Center
ESC to close
navigate open Ctrl+K search
CISO Consulting
Global apt Government/Critical Infrastructure CRITICAL 1h Global vulnerability Enterprise Software / Data Analytics CRITICAL 2h Global vulnerability Artificial Intelligence and Technology HIGH 5h Global general Technology and Artificial Intelligence MEDIUM 9h Global general Technology and Artificial Intelligence HIGH 10h Global vulnerability Higher Education CRITICAL 19h Global data_breach Government HIGH 20h Global supply_chain Software Development and Open Source Communities CRITICAL 20h Global malware Software Development CRITICAL 20h Global phishing Multiple Sectors HIGH 20h Global apt Government/Critical Infrastructure CRITICAL 1h Global vulnerability Enterprise Software / Data Analytics CRITICAL 2h Global vulnerability Artificial Intelligence and Technology HIGH 5h Global general Technology and Artificial Intelligence MEDIUM 9h Global general Technology and Artificial Intelligence HIGH 10h Global vulnerability Higher Education CRITICAL 19h Global data_breach Government HIGH 20h Global supply_chain Software Development and Open Source Communities CRITICAL 20h Global malware Software Development CRITICAL 20h Global phishing Multiple Sectors HIGH 20h Global apt Government/Critical Infrastructure CRITICAL 1h Global vulnerability Enterprise Software / Data Analytics CRITICAL 2h Global vulnerability Artificial Intelligence and Technology HIGH 5h Global general Technology and Artificial Intelligence MEDIUM 9h Global general Technology and Artificial Intelligence HIGH 10h Global vulnerability Higher Education CRITICAL 19h Global data_breach Government HIGH 20h Global supply_chain Software Development and Open Source Communities CRITICAL 20h Global malware Software Development CRITICAL 20h Global phishing Multiple Sectors HIGH 20h
Vulnerabilities

CVE-2026-24291

High
Incorrect permission assignment for critical resource in Windows Accessibility Infrastructure (ATBroker.exe) allows an authorized attacker to elevate privileges locally.
CWE-732 — Weakness Type
Published: Mar 10, 2026  ·  Modified: Mar 17, 2026  ·  Source: NVD
CVSS v3
7.8
🔗 NVD Official
📄 Description (English)

Incorrect permission assignment for critical resource in Windows Accessibility Infrastructure (ATBroker.exe) allows an authorized attacker to elevate privileges locally.

🤖 AI Executive Summary

CVE-2026-24291 is a privilege escalation vulnerability in Windows Accessibility Infrastructure (ATBroker.exe) affecting multiple Windows 10 versions due to incorrect permission assignment on critical resources. An authorized local attacker can exploit this to elevate privileges to SYSTEM level. With a CVSS score of 7.8 and no public exploit currently available, this poses a significant risk to Saudi organizations relying on Windows 10 infrastructure, particularly in government and banking sectors where privilege escalation could lead to unauthorized access to sensitive systems.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 29, 2026 04:56
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi banking sector (SAMA-regulated institutions), government agencies (NCA oversight), and critical infrastructure operators. Windows 10 is widely deployed across Saudi organizations for administrative and operational workstations. Privilege escalation could enable lateral movement within networks, access to classified government data, financial system manipulation, and compromise of critical infrastructure. Healthcare sector (MOH systems) and energy sector (ARAMCO, SEC) are particularly vulnerable if Windows 10 endpoints are used in operational technology environments. Telecom operators (STC, Mobily) managing network infrastructure are also at risk.
🏢 Affected Saudi Sectors
Banking and Financial Services Government and Public Administration Critical Infrastructure (Energy, Water, Utilities) Healthcare Telecommunications Defense and Security Education
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:

1. Prioritize patching Windows 10 systems across all versions (1607, 1809, 21H2, 22H2) with the latest security updates from Microsoft

2. Restrict local administrative access and enforce principle of least privilege

3. Disable Windows Accessibility features (ATBroker.exe) if not required for business operations

4. Implement application whitelisting to prevent unauthorized execution of accessibility tools



PATCHING GUIDANCE:

1. Deploy Microsoft security updates immediately through WSUS or Windows Update for Business

2. Prioritize systems in government, banking, and critical infrastructure sectors

3. Test patches in non-production environments before enterprise deployment

4. Verify ATBroker.exe permissions post-patching (should be restricted to SYSTEM and Administrators)



COMPENSATING CONTROLS (if patching delayed):

1. Monitor and audit ATBroker.exe execution using Windows Event Viewer (Event ID 4688)

2. Implement file integrity monitoring on %SystemRoot%\System32\ATBroker.exe

3. Use AppLocker rules to restrict ATBroker.exe execution to authorized users only

4. Enable Windows Defender Application Guard for high-risk workstations

5. Implement endpoint detection and response (EDR) solutions to detect privilege escalation attempts



DETECTION RULES:

1. Monitor for ATBroker.exe spawning child processes with elevated privileges

2. Alert on failed and successful privilege escalation attempts (Event ID 4673, 4674)

3. Track modifications to ATBroker.exe file permissions and ownership

4. Monitor registry modifications related to accessibility features (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:

1. أولويات تصحيح أنظمة Windows 10 عبر جميع الإصدارات (1607، 1809، 21H2، 22H2) بأحدث التحديثات الأمنية من Microsoft

2. تقييد الوصول الإداري المحلي وفرض مبدأ أقل امتياز

3. تعطيل ميزات Windows Accessibility (ATBroker.exe) إذا لم تكن مطلوبة للعمليات التجارية

4. تطبيق قائمة التطبيقات المسموحة لمنع التنفيذ غير المصرح به لأدوات الوصول



إرشادات التصحيح:

1. نشر تحديثات أمان Microsoft فوراً عبر WSUS أو Windows Update for Business

2. إعطاء الأولوية للأنظمة في قطاعات الحكومة والبنوك والبنية التحتية الحرجة

3. اختبار التصحيحات في بيئات غير الإنتاج قبل النشر على مستوى المؤسسة

4. التحقق من أذونات ATBroker.exe بعد التصحيح (يجب أن تكون مقيدة على SYSTEM والمسؤولين)



الضوابط البديلة (إذا تأخر التصحيح):

1. مراقبة وتدقيق تنفيذ ATBroker.exe باستخدام Windows Event Viewer (Event ID 4688)

2. تطبيق مراقبة سلامة الملفات على %SystemRoot%\System32\ATBroker.exe

3. استخدام قواعد AppLocker لتقييد تنفيذ ATBroker.exe للمستخدمين المصرح لهم فقط

4. تفعيل Windows Defender Application Guard لمحطات العمل عالية المخاطر

5. تطبيق حلول كشف الاستجابة للنقاط النهائية (EDR) للكشف عن محاولات تصعيد الامتيازات



قواعد الكشف:

1. مراقبة ATBroker.exe لتوليد العمليات الفرعية بامتيازات مرتفعة

2. تنبيهات محاولات تصعيد الامتيازات الفاشلة والناجحة (Event ID 4673، 4674)

3. تتبع التعديلات على أذونات ملف ATBroker.exe والملكية

4. مراقبة تعديلات السجل المتعلقة بميزات الوصول (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility)
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policy ECC 2024 A.5.2.1 - User Registration and De-registration ECC 2024 A.5.3.1 - Access Rights Review ECC 2024 A.9.2.1 - User Access Management ECC 2024 A.9.4.3 - Password Management ECC 2024 A.12.4.1 - Event Logging ECC 2024 A.12.4.3 - Administrator and Operator Logs
🔵 SAMA CSF
SAMA CSF ID.AM-1 - Asset Management SAMA CSF PR.AC-1 - Access Control Policy SAMA CSF PR.AC-4 - Access Rights Management SAMA CSF DE.CM-1 - System Monitoring SAMA CSF DE.CM-3 - Event Detection SAMA CSF RS.MI-2 - Incident Response Procedures
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of Duties ISO 27001:2022 A.8.2 - User Access Management ISO 27001:2022 A.8.3 - User Responsibilities ISO 27001:2022 A.9.2 - User Access Rights ISO 27001:2022 A.9.4 - Access Control Review ISO 27001:2022 A.12.4 - Logging
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Default Passwords PCI DSS 7.1 - Access Control Implementation PCI DSS 8.1 - User Identification PCI DSS 8.2 - User Authentication PCI DSS 10.2 - User Access Logging
📦 Affected Products / CPE 25 entries
microsoft:windows_10_1607
microsoft:windows_10_1607
microsoft:windows_10_1809
microsoft:windows_10_1809
microsoft:windows_10_21h2
microsoft:windows_10_21h2
microsoft:windows_10_21h2
microsoft:windows_10_22h2
microsoft:windows_10_22h2
microsoft:windows_10_22h2
microsoft:windows_11_23h2
microsoft:windows_11_23h2
microsoft:windows_11_24h2
microsoft:windows_11_24h2
microsoft:windows_11_25h2
microsoft:windows_11_25h2
microsoft:windows_11_26h1
microsoft:windows_11_26h1
microsoft:windows_server_2012:-
microsoft:windows_server_2012:r2
microsoft:windows_server_2016
microsoft:windows_server_2019
microsoft:windows_server_2022
microsoft:windows_server_2022_23h2
microsoft:windows_server_2025
📊 CVSS Score
7.8
/ 10.0 — High
📊 CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack VectorL — Low / Local
Attack ComplexityL — Low / Local
Privileges RequiredL — Low / Local
User InteractionN — None / Network
ScopeU — Unchanged
ConfidentialityH — High
IntegrityH — High
AvailabilityH — High
📋 Quick Facts
Severity High
CVSS Score7.8
CWECWE-732
Exploit No
Patch ✓ Yes
Published 2026-03-10
Source Feed nvd
Views 4
🇸🇦 Saudi Risk Score
7.8
/ 10.0 — Saudi Risk
Priority: HIGH
🏷️ Tags
CWE-732
🏢 Vendor Advisories
🔗 https://msrc.microsoft.com/update-guide/vulnerabilit...
⚡ Actions
🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details
Share this CVE
LinkedIn X / Twitter WhatsApp Telegram

💬 Comments

0
Loading comments
📣 Found this valuable?
Share it with your cybersecurity network
in LinkedIn 𝕏 X / Twitter 💬 WhatsApp ✈ Telegram
🍪 Privacy Preferences
CISO Consulting — Compliant with Saudi Personal Data Protection Law (PDPL)
We use cookies and similar technologies to provide the best experience on our platform. You can choose which types you accept.
🔒
Essential Always On
Required for the website to function properly. Cannot be disabled.
📋 Sessions, CSRF tokens, authentication, language preferences
📊
Analytics
Help us understand how visitors use the site and improve performance.
📋 Page views, session duration, traffic sources, performance metrics
⚙️
Functional
Enable enhanced features like content personalization and preferences.
📋 Dark/light theme, font size, custom dashboards, saved filters
📣
Marketing
Used to deliver content and ads relevant to your interests.
📋 Campaign tracking, retargeting, social media analytics
Privacy Policy →
CISO AI Assistant
Ask anything · Documents · Support
🔐

Introduce Yourself

Enter your details to access the full assistant

Your info is private and never shared
💬
CyberAssist
Online · responds in seconds
5 / 5
🔐 Verify Your Identity

Enter your email to receive a verification code before submitting a support request.

Enter to send · / for commands 0 / 2000
CISO AI · Powered by Anthropic Claude
✦ Quick Survey Help Us Improve CISO Consulting Your feedback shapes the future of our platform — takes less than 2 minutes.
⚠ Please answer this question to continue

How would you rate your overall experience with our platform?

Rate from 1 (poor) to 5 (excellent)

🎉
Thank you!
Your response has been recorded.