📄 Description (English)
Insufficient granularity of access control in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.
🤖 AI Executive Summary
CVE-2026-35436 is a privilege escalation vulnerability in Microsoft Office Click-To-Run with a CVSS score of 8.8, allowing authorized local attackers to elevate privileges through insufficient access control granularity. This vulnerability poses significant risk to Saudi organizations relying on Microsoft Office for critical operations. While no public exploit is currently available, the lack of a patch requires immediate compensating controls and monitoring.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 18, 2026 08:36
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi banking sector (SAMA-regulated institutions), government agencies (NCA oversight), healthcare organizations (MOH), and energy sector (ARAMCO, SABIC). The privilege escalation risk is particularly severe for organizations with multi-user workstations and shared Office environments. Telecom operators (STC, Mobily) and financial services firms face elevated risk due to widespread Office deployment. Government entities using Office for classified document handling require immediate attention.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Telecommunications
Defense and Security
Education
🎯 MITRE ATT&CK Techniques
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt
T1134.003 - Access Token Manipulation: Make and Impersonate Token
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.014 - Boot or Logon Autostart Execution: Active Setup
T1574.008 - Hijack Execution Flow: DLL Search Order Hijacking
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Inventory all Microsoft Office Click-To-Run installations across the organization
2. Restrict local administrative access and enforce principle of least privilege for all user accounts
3. Implement application whitelisting to control Office process execution
4. Enable Windows Defender Application Guard for Office applications in high-risk environments
Compensating Controls (until patch available):
5. Deploy endpoint detection and response (EDR) solutions to monitor Office process behavior and privilege escalation attempts
6. Implement file integrity monitoring on Office installation directories
7. Configure Windows Event Log auditing for privilege escalation events (Event ID 4688, 4689)
8. Restrict Office macro execution policies and disable VBA in untrusted documents
9. Enforce code integrity policies and disable kernel-mode driver installation
Detection Rules:
10. Monitor for unusual Office child processes spawning with elevated privileges
11. Alert on Office processes accessing LSASS or other sensitive system processes
12. Track modifications to Office Click-To-Run registry keys and installation paths
13. Monitor for Office processes attempting to write to System32 or Program Files directories
14. Subscribe to Microsoft security advisories for patch availability and apply immediately upon release
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حصر جميع تثبيتات Microsoft Office Click-To-Run عبر المنظمة
2. تقييد الوصول الإداري المحلي وفرض مبدأ الحد الأدنى من الامتيازات لجميع حسابات المستخدمين
3. تطبيق قائمة التطبيقات المسموحة للتحكم في تنفيذ عمليات Office
4. تفعيل Windows Defender Application Guard لتطبيقات Office في البيئات عالية المخاطر
الضوابط التعويضية (حتى توفر التصحيح):
5. نشر حلول الكشف والاستجابة على نقاط النهاية (EDR) لمراقبة سلوك عمليات Office ومحاولات تصعيد الامتيازات
6. تطبيق مراقبة سلامة الملفات على مجلدات تثبيت Office
7. تكوين تدقيق سجل أحداث Windows لأحداث تصعيد الامتيازات (معرف الحدث 4688، 4689)
8. تقييد سياسات تنفيذ وحدات Office الماكرو وتعطيل VBA في المستندات غير الموثوقة
9. فرض سياسات سلامة الكود وتعطيل تثبيت برامج تشغيل وضع النواة
قواعد الكشف:
10. مراقبة عمليات Office الفرعية غير العادية التي تعمل بامتيازات مرتفعة
11. التنبيه على عمليات Office التي تحاول الوصول إلى LSASS أو عمليات النظام الحساسة الأخرى
12. تتبع التعديلات على مفاتيح تسجيل Office Click-To-Run ومسارات التثبيت
13. مراقبة عمليات Office التي تحاول الكتابة إلى مجلدات System32 أو Program Files
14. الاشتراك في تنبيهات أمان Microsoft وتطبيق التصحيحات فورًا عند توفرها
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Access Control Policy
A.6.1.2 - User Registration and De-registration
A.9.2.1 - User Access Management
A.9.4.3 - Password Management
A.12.4.1 - Event Logging
A.12.4.3 - Administrator and Operator Logs
🔵 SAMA CSF
ID.AC-1 - Access Control Policy and Procedures
ID.AC-2 - Physical and Logical Access Controls
PR.AC-1 - Identities and Credentials Management
PR.AC-4 - Access Rights Management
DE.CM-1 - System Monitoring
DE.AE-1 - Audit Logs
🟡 ISO 27001:2022
A.5.1.1 - Policies for information security
A.6.1.2 - Information security roles and responsibilities
A.8.1.1 - Screening
A.9.1.1 - Access control policy
A.9.2.1 - User registration and de-registration
A.9.4.3 - Password management
A.12.4.1 - Event logging
🟣 PCI DSS v4.0.1
Requirement 2.1 - Default security parameters
Requirement 7 - Restrict access to data by business need to know
Requirement 8 - Identify and authenticate access
Requirement 10 - Track and monitor access to network resources
🔗 References & Sources 1