CVE-2026-20931:
Windows Telephony Service vulnerability allows privilege escalation via file path manipulation.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.0High- Published Date:Jan 13, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.8
- EPSS Percentile:73%
Exploitability
- Score:2.1
- Attack Vector:ADJACENT_NETWORK
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Windows Telephony Service vulnerability allows privilege escalation via file path manipulation.
Overview
The vulnerability in Windows Telephony Service stems from improper handling of file names or paths, classified as CWE-73. An attacker with low privileges can exploit this flaw to gain elevated access, potentially compromising the confidentiality, integrity, and availability of the system. The attack vector is adjacent network, requiring no user interaction and low attack complexity. The scope of the vulnerability remains unchanged, meaning the impacted component is the same as the vulnerable component.
Remediation
- While specific remediation details are not provided, general recommendations include:
- 1. Apply the latest security patches from Microsoft as soon as they become available.
- 2. Implement the principle of least privilege for user accounts and services.
- 3. Regularly audit and monitor file system access and changes.
- 4. Use network segmentation to limit the exposure of vulnerable systems.
- 5. Employ robust input validation and sanitization for file paths and names.
- 6. Consider implementing application whitelisting to prevent unauthorized executables.
References
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
