📄 الوصف (الإنجليزية)
Incorrect permission assignment for critical resource in Windows Accessibility Infrastructure (ATBroker.exe) allows an authorized attacker to elevate privileges locally.
🤖 ملخص AI
CVE-2026-24291 is a privilege escalation vulnerability in Windows Accessibility Infrastructure (ATBroker.exe) affecting multiple Windows 10 versions due to incorrect permission assignment on critical resources. An authorized local attacker can exploit this to elevate privileges to SYSTEM level. With a CVSS score of 7.8 and no public exploit currently available, this poses a significant risk to Saudi organizations relying on Windows 10 infrastructure, particularly in government and banking sectors where privilege escalation could lead to unauthorized access to sensitive systems.
📄 الوصف (العربية)
🤖 التحليل الذكي آخر تحليل: Apr 29, 2026 04:56
🇸🇦 التأثير على المملكة العربية السعودية
This vulnerability poses significant risk to Saudi banking sector (SAMA-regulated institutions), government agencies (NCA oversight), and critical infrastructure operators. Windows 10 is widely deployed across Saudi organizations for administrative and operational workstations. Privilege escalation could enable lateral movement within networks, access to classified government data, financial system manipulation, and compromise of critical infrastructure. Healthcare sector (MOH systems) and energy sector (ARAMCO, SEC) are particularly vulnerable if Windows 10 endpoints are used in operational technology environments. Telecom operators (STC, Mobily) managing network infrastructure are also at risk.
🏢 القطاعات السعودية المتأثرة
Banking and Financial Services
Government and Public Administration
Critical Infrastructure (Energy, Water, Utilities)
Healthcare
Telecommunications
Defense and Security
Education
🎯 تقنيات MITRE ATT&CK
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt
T1134.003 - Access Token Manipulation: Make and Impersonate Token
T1547.008 - Boot or Logon Autostart Execution: LSASS Driver
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1543.001 - Create or Modify System Process: Windows Service
T1574.008 - Hijack Execution Flow: DLL Search Order Hijacking
⚖️ درجة المخاطر السعودية (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Prioritize patching Windows 10 systems across all versions (1607, 1809, 21H2, 22H2) with the latest security updates from Microsoft
2. Restrict local administrative access and enforce principle of least privilege
3. Disable Windows Accessibility features (ATBroker.exe) if not required for business operations
4. Implement application whitelisting to prevent unauthorized execution of accessibility tools
PATCHING GUIDANCE:
1. Deploy Microsoft security updates immediately through WSUS or Windows Update for Business
2. Prioritize systems in government, banking, and critical infrastructure sectors
3. Test patches in non-production environments before enterprise deployment
4. Verify ATBroker.exe permissions post-patching (should be restricted to SYSTEM and Administrators)
COMPENSATING CONTROLS (if patching delayed):
1. Monitor and audit ATBroker.exe execution using Windows Event Viewer (Event ID 4688)
2. Implement file integrity monitoring on %SystemRoot%\System32\ATBroker.exe
3. Use AppLocker rules to restrict ATBroker.exe execution to authorized users only
4. Enable Windows Defender Application Guard for high-risk workstations
5. Implement endpoint detection and response (EDR) solutions to detect privilege escalation attempts
DETECTION RULES:
1. Monitor for ATBroker.exe spawning child processes with elevated privileges
2. Alert on failed and successful privilege escalation attempts (Event ID 4673, 4674)
3. Track modifications to ATBroker.exe file permissions and ownership
4. Monitor registry modifications related to accessibility features (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. أولويات تصحيح أنظمة Windows 10 عبر جميع الإصدارات (1607، 1809، 21H2، 22H2) بأحدث التحديثات الأمنية من Microsoft
2. تقييد الوصول الإداري المحلي وفرض مبدأ أقل امتياز
3. تعطيل ميزات Windows Accessibility (ATBroker.exe) إذا لم تكن مطلوبة للعمليات التجارية
4. تطبيق قائمة التطبيقات المسموحة لمنع التنفيذ غير المصرح به لأدوات الوصول
إرشادات التصحيح:
1. نشر تحديثات أمان Microsoft فوراً عبر WSUS أو Windows Update for Business
2. إعطاء الأولوية للأنظمة في قطاعات الحكومة والبنوك والبنية التحتية الحرجة
3. اختبار التصحيحات في بيئات غير الإنتاج قبل النشر على مستوى المؤسسة
4. التحقق من أذونات ATBroker.exe بعد التصحيح (يجب أن تكون مقيدة على SYSTEM والمسؤولين)
الضوابط البديلة (إذا تأخر التصحيح):
1. مراقبة وتدقيق تنفيذ ATBroker.exe باستخدام Windows Event Viewer (Event ID 4688)
2. تطبيق مراقبة سلامة الملفات على %SystemRoot%\System32\ATBroker.exe
3. استخدام قواعد AppLocker لتقييد تنفيذ ATBroker.exe للمستخدمين المصرح لهم فقط
4. تفعيل Windows Defender Application Guard لمحطات العمل عالية المخاطر
5. تطبيق حلول كشف الاستجابة للنقاط النهائية (EDR) للكشف عن محاولات تصعيد الامتيازات
قواعد الكشف:
1. مراقبة ATBroker.exe لتوليد العمليات الفرعية بامتيازات مرتفعة
2. تنبيهات محاولات تصعيد الامتيازات الفاشلة والناجحة (Event ID 4673، 4674)
3. تتبع التعديلات على أذونات ملف ATBroker.exe والملكية
4. مراقبة تعديلات السجل المتعلقة بميزات الوصول (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility)
📋 خريطة الامتثال التنظيمي
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policy
ECC 2024 A.5.2.1 - User Registration and De-registration
ECC 2024 A.5.3.1 - Access Rights Review
ECC 2024 A.9.2.1 - User Access Management
ECC 2024 A.9.4.3 - Password Management
ECC 2024 A.12.4.1 - Event Logging
ECC 2024 A.12.4.3 - Administrator and Operator Logs
🔵 SAMA CSF
SAMA CSF ID.AM-1 - Asset Management
SAMA CSF PR.AC-1 - Access Control Policy
SAMA CSF PR.AC-4 - Access Rights Management
SAMA CSF DE.CM-1 - System Monitoring
SAMA CSF DE.CM-3 - Event Detection
SAMA CSF RS.MI-2 - Incident Response Procedures
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of Duties
ISO 27001:2022 A.8.2 - User Access Management
ISO 27001:2022 A.8.3 - User Responsibilities
ISO 27001:2022 A.9.2 - User Access Rights
ISO 27001:2022 A.9.4 - Access Control Review
ISO 27001:2022 A.12.4 - Logging
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Default Passwords
PCI DSS 7.1 - Access Control Implementation
PCI DSS 8.1 - User Identification
PCI DSS 8.2 - User Authentication
PCI DSS 10.2 - User Access Logging
📦 المنتجات المتأثرة 25 منتج
microsoft:windows_10_1607
microsoft:windows_10_1607
microsoft:windows_10_1809
microsoft:windows_10_1809
microsoft:windows_10_21h2
microsoft:windows_10_21h2
microsoft:windows_10_21h2
microsoft:windows_10_22h2
microsoft:windows_10_22h2
microsoft:windows_10_22h2
microsoft:windows_11_23h2
microsoft:windows_11_23h2
microsoft:windows_11_24h2
microsoft:windows_11_24h2
microsoft:windows_11_25h2
microsoft:windows_11_25h2
microsoft:windows_11_26h1
microsoft:windows_11_26h1
microsoft:windows_server_2012:-
microsoft:windows_server_2012:r2
microsoft:windows_server_2016
microsoft:windows_server_2019
microsoft:windows_server_2022
microsoft:windows_server_2022_23h2
microsoft:windows_server_2025