CVE-2026-20931
Published: 13 January 2026
Summary
CVE-2026-20931 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 39.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-20931 is an external control of file name or path vulnerability, tracked under CWE-73, that affects the Windows Telephony Service. The flaw carries a CVSS 3.1 score of 8.0 and permits an attacker to manipulate file paths or names, resulting in privilege elevation on the affected Windows component.
An authorized attacker positioned on an adjacent network can exploit the issue without user interaction. Successful exploitation grants the attacker high impact on confidentiality, integrity, and availability by elevating privileges on the target system.
Microsoft’s advisory at msrc.microsoft.com details the vulnerability and available updates, while Vicarius has published accompanying detection and mitigation scripts that practitioners can use to identify and remediate affected systems.
EPSS for the CVE rose from a low baseline to a peak of 0.0222 on 2026-02-14 before receding to the current value of 0.0044, indicating a temporary increase in exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2123
Vulnerability details
External control of file name or path in Windows Telephony Service allows an authorized attacker to elevate privileges over an adjacent network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CWE-73 path control in Telephony Service directly enables local privilege escalation to SYSTEM-level access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CWE-73 external control of file name or path by requiring validation of inputs to the Windows Telephony Service.
Ensures timely remediation of the specific vulnerability in Windows Telephony Service through application of Microsoft's patches.
Limits the impact of privilege escalation by enforcing least privilege on low-privileged processes exploitable over adjacent networks.