Cyber Threat Brief — March 26 2026
⚠️ This report is AI-generated. Always validate findings.
Previous brief: Cyber Threat Brief — March 25 2026
Threat count: 1 new threat, 3 status updates
1. Windows Error Reporting ALPC Privilege Escalation PoC — CVE-2026-20817
TL;DR: Public PoC now available for CVE-2026-20817 (CVSS 7.8), a local privilege escalation in Windows Error Reporting that lets any authenticated user get SYSTEM via crafted ALPC messages to WerSvc; patched in January 2026 Patch Tuesday but the newly released exploit code lowers the bar for red teams and threat actors on unpatched hosts.
What’s New:
- Security researcher itm4n published a detailed technical writeup and PoC; a second PoC by oxfemale (@bytecodevm) appeared on GitHub (
oxfemale/CVE-2026-20817) - Exploit sends an ALPC message to WER service method
SvcElevatedLaunch(0x0D), which launchesWerFault.exewith attacker-controlled command-line parameters under a SYSTEM token carryingSeDebugPrivilegeandSeImpersonatePrivilege - Affects all Windows 10, Windows 11, Server 2019, and Server 2022 versions prior to January 2026 security updates
- No active ITW exploitation reported yet, but the public PoC and low complexity (authenticated local, no user interaction) make weaponization likely
- The SYSTEM token inherited by the spawned process includes dangerous privileges that enable full host compromise (debug any process, impersonate any user)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
WerFault.exe spawned with unexpected CLI args | Process execution | T1068 | Sysmon EID 1 / EDR | Hunt for WerFault.exe with atypical command-line length or flags |
WerSvc ALPC port connection from low-integrity process | IPC abuse | T1559 | Sysmon EID 17/18 (Pipe) / ETW ALPC | Alert on non-standard ALPC clients connecting to WER |
WerFault.exe or WerMgr.exe running as SYSTEM without SeTcbPrivilege | Token anomaly | T1134.001 | Windows Security EID 4688 + token audit | Hunt for WER binaries with SYSTEM token missing expected privileges |
Parent process of WerFault.exe is non-standard (not svchost.exe -k WerSvcGroup) | Suspicious parent chain | T1068 | Sysmon EID 1 / EDR | Alert on unexpected parent for WerFault.exe |
SeDebugPrivilege or SeImpersonatePrivilege use post-WerFault spawn | Privilege abuse | T1134.001 | Windows Security EID 4672 / EDR | Correlate privilege use with WerFault ancestry |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None specific to WER ALPC abuse | Need: WerFault.exe unusual command-line or parent process rule |
| Elastic | ”Unusual Parent Process for WerFault” (partial, if customized) | Need: ALPC-specific correlation for WER service |
| Sigma | proc_creation_win_werfault_unusual_parent.yml (community, partial) | Need: Command-line length/content filter for WerFault.exe |
Sources: itm4n blog · itm4n GitHub PoC · oxfemale PoC · CyberSecurityNews · GBHackers
Status Updates
- CVE-2026-33017 (Langflow): CISA added to KEV catalog on March 25; federal deadline April 8. Exploitation ongoing since 20 hours post-disclosure (March 17). Six attacker IPs and C2 at
173.212.205[.]251:8443previously reported. No new IOCs. Original brief. - CVE-2026-3055 (Citrix NetScaler ADC/Gateway): Still no public PoC or ITW exploitation as of March 26. Rapid7 and Arctic Wolf continue to flag high weaponization likelihood for SAML IdP-configured appliances. Patch now. Original brief.
- CVE-2026-20131 (Cisco FMC / Interlock): Interlock exploitation ongoing. Public PoC still available on GitHub. No new IOCs or TTPs since March 25. CISA KEV deadline passed March 22. Original brief.