Cyber Posture

CVE-2026-20931

High

Published: 13 January 2026

Published
13 January 2026
Modified
16 January 2026
KEV Added
Patch
CVSS Score 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0079 74.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20931 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 26.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates CWE-73 external control of file name or path by requiring validation of inputs to the Windows Telephony Service.

SI-2 Flaw Remediation good match
prevent

Ensures timely remediation of the specific vulnerability in Windows Telephony Service through application of Microsoft's patches.

AC-6 Least Privilege partial match
prevent

Limits the impact of privilege escalation by enforcing least privilege on low-privileged processes exploitable over adjacent networks.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

CWE-73 path control in Telephony Service directly enables local privilege escalation to SYSTEM-level access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

External control of file name or path in Windows Telephony Service allows an authorized attacker to elevate privileges over an adjacent network.

Deeper analysisAI

CVE-2026-20931 is a vulnerability classified under CWE-73 (External Control of File Name or Path) in the Windows Telephony Service. Published on 2026-01-13T18:16:20.003, it carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The flaw affects Windows systems that utilize the Telephony Service component.

An attacker with low privileges (PR:L) on an adjacent network (AV:A) can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows privilege escalation, resulting in high impacts to confidentiality, integrity, and availability.

Microsoft's update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20931 provides details on associated advisories and patches for mitigation.

Details

CWE(s)
CWE-73

Affected Products

microsoft
windows 10 1607
≤ 10.0.14393.8783 · ≤ 10.0.14393.8783
microsoft
windows 10 1809
≤ 10.0.17763.8276 · ≤ 10.0.17763.8276
microsoft
windows 10 21h2
≤ 10.0.19044.6809
microsoft
windows 10 22h2
≤ 10.0.19045.6809
microsoft
windows 11 23h2
≤ 10.0.22631.6491
microsoft
windows 11 24h2
≤ 10.0.26100.7623
microsoft
windows 11 25h2
≤ 10.0.26200.7623
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.8783
+4 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2026-24287Same product: Microsoft Windows 10 1809
CVE-2026-20843Same product: Microsoft Windows 10 1607
CVE-2026-20921Same product: Microsoft Windows 10 1607
CVE-2026-20922Same product: Microsoft Windows 10 1607
CVE-2026-20820Same product: Microsoft Windows 10 1607
CVE-2026-20860Same product: Microsoft Windows 10 1607
CVE-2026-20831Same product: Microsoft Windows 10 1607
CVE-2026-20816Same product: Microsoft Windows 10 1607
CVE-2026-20840Same product: Microsoft Windows 10 1607
CVE-2026-21239Same product: Microsoft Windows 10 1607

References