CVE-2026-20931

Dial M for Murder: Windows Telephony Service EoP (CVE-2026-20931)

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 19, 2026·6 min read·16 visits

Executive Summary (TL;DR)

CVE-2026-20931 is an Elevation of Privilege vulnerability in the Windows Telephony Service (`tapisrv.dll`). It allows an authenticated user on an adjacent network to coerce the service—running as SYSTEM—into performing file operations on arbitrary paths. By abusing symbolic links, an attacker can overwrite system files or load malicious DLLs.

An ancient relic of the dial-up era, the Windows Telephony Service (TAPI), exposes a critical logic flaw allowing adjacent attackers to escalate privileges to SYSTEM via RPC path coercion.

Official Patches

MicrosoftOfficial Security Update Guide

Technical Appendix

CVSS Score
8.0/ 10
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
1.22%
Top 21% most exploited

Affected Systems

Windows 10 Version 22H2Windows 11 Version 23H2Windows 11 Version 24H2Windows Server 2019Windows Server 2022Windows Server 2025

Affected Versions Detail

Product
Affected Versions
Fixed Version
Windows 10
Microsoft
1607 - 22H2Jan 2026 Update
Windows 11
Microsoft
22H3 - 25H2Jan 2026 Update
Windows Server
Microsoft
2008 - 2025Jan 2026 Update
AttributeDetail
CWE IDCWE-73
CVSS v3.18.0 (High)
Attack VectorAdjacent Network
Privileges RequiredLow
ImpactSystem Compromise
Exploit StatusPoC / Unlikely
EPSS Score1.22%

MITRE ATT&CK Mapping

T1068Exploitation for Privilege Escalation
Privilege Escalation
T1210Exploitation of Remote Services
Lateral Movement
T1559Inter-Process Communication
Execution
CWE-73
External Control of File Name or Path

The software allows user input to control or influence paths or file names that are used in filesystem operations.

Known Exploits & Detection

N/ANo public exploit code is currently available.

Vulnerability Timeline

Vulnerability Published by Microsoft
2026-01-13
Patches Released (Patch Tuesday)
2026-01-13
Analyzed by Rapid7 and ZDI
2026-01-14