Dial M for Murder: Windows Telephony Service EoP (CVE-2026-20931)

In the year 2026, you might ask: "Why does my hyper-modern Windows 11 Enterprise rig need a Telephony Service?" The answer is legacy compatibility. The Windows Telephony Application Programming Interface (TAPI) is a subsystem originally designed to handle classic landline interactions—dialing out, answering calls, and managing modems. While most of us aren't plugging RJ-11 cables into our laptops anymore, the service (tapisrv.dll) remains a core component of the OS, running by default.

Here is the kicker: TAPI runs with NT AUTHORITY\SYSTEM privileges. It sits there, quietly listening on an RPC interface, waiting for instructions. For a vulnerability researcher, this is the holy grail. You have a high-privileged process parsing complex inputs from lower-privileged users. It’s a classic setup for an Elevation of Privilege (EoP) attack.

But CVE-2026-20931 has a twist. Most EoP bugs require you to already have code execution on the local machine. This one is rated AV:A (Adjacent Network). That means if you are on the same Wi-Fi or VLAN as the victim, and you have valid credentials (maybe stolen, maybe a domain user), you can reach out and touch this service over the network to trigger the escalation. It's not just a local root; it's a "neighbor-to-root" exploit.

The vulnerability is a textbook case of CWE-73: External Control of File Name or Path. The Telephony Service exposes several RPC methods to manage provider configurations and logging. One of these methods accepts a string argument intended to specify a file path—perhaps for a log file or a configuration plugin.

The developers made a fatal assumption: they assumed that anyone calling this RPC interface would provide a "nice" path. They didn't anticipate a malicious user supplying a path like \\?\C:\Windows\System32\bad.dll or a path pointing to a user-controlled directory containing a symbolic link.

When the service receives this path, it doesn't adequately sanitize it. More importantly, it performs file operations (like CreateFile or LoadLibrary) on this path while still impersonating SYSTEM, rather than impersonating the calling user. This is the logic gap. If I tell the butler to open the door, he should open it with my keys. In this case, the butler uses the master key to open any door I point at.

Let's look at a reconstruction of the vulnerable logic within tapisrv.dll. The issue lies in how the RPC stub handles the incoming request before passing it to the file operation API.

The Vulnerable Pattern:

// Pseudo-code of the vulnerable RPC handler
long RpcConfigProvider(handle_t IDL_handle, wchar_t* pFilePath) {
    // 1. No check to see if pFilePath is safe
    // 2. No impersonation of the client user
 
    // The service (running as SYSTEM) blindly attempts to open the file
    HANDLE hFile = CreateFileW(
        pFilePath, 
        GENERIC_WRITE, 
        0, 
        NULL, 
        OPEN_ALWAYS, 
        FILE_ATTRIBUTE_NORMAL, 
        NULL
    );
 
    if (hFile != INVALID_HANDLE_VALUE) {
        // Write config data or log data
        WriteFile(hFile, ...);
        CloseHandle(hFile);
    }
    return 0;
}

Because RpcImpersonateClient is missing (or called too late), CreateFileW runs with the token of the service itself (SYSTEM).

The Fix: Microsoft's patch likely introduces strict canonicalization and, crucially, impersonation. The patched flow forces the service to downgrade its privileges to match the caller before touching the filesystem.

// Patched logic
long RpcConfigProvider(handle_t IDL_handle, wchar_t* pFilePath) {
    // 1. Impersonate the caller immediately
    if (RpcImpersonateClient(IDL_handle) != RPC_S_OK) {
        return ERROR_ACCESS_DENIED;
    }
 
    // 2. Validate path allows no directory traversal or device paths
    if (!IsValidPath(pFilePath)) {
        RpcRevertToSelf();
        return ERROR_INVALID_PARAMETER;
    }
 
    // 3. Perform file op as the USER, not SYSTEM
    HANDLE hFile = CreateFileW(pFilePath, ...);
 
    RpcRevertToSelf(); // Go back to being SYSTEM
    return 0;
}

How do we weaponize this? We use the "Adjacent" vector to reach the RPC interface, but we need the filesystem impact to result in code execution.

Step 1: The Setup We compromise a low-privileged workstation on the same subnet as the target Server (or a workstation). We authenticate to the target's RPC endpoint (TAPI service) using our low-priv credentials.

Step 2: The Bait We create a directory on a share we control (or a temp directory on the target if we have partial access) that contains a Junction or Symbolic Link. We point this link to a sensitive system file, like C:\Windows\System32\license.rtf (for arbitrary overwrite) or, more lethally, a DLL location susceptible to hijacking.

Step 3: The Trigger We invoke the vulnerable RPC method, passing our baited path: C:\Users\Public\Exploit\Link\target.file.

Step 4: The Switch The TAPI service receives the path. It resolves C:\Users\Public\Exploit\Link -> \RPC Control\ (using Object Manager symlink tricks created by tools like James Forshaw's symbolic link testing tools). The service, thinking it is writing a log file, writes data into a privileged system file.

If we can control the content written, we overwrite a system binary. If we can only control the path (e.g., forcing a DLL load), we point it to a UNC path \\AttackerIP\Share\Malicious.dll. The service loads our DLL as SYSTEM. Game over.

This vulnerability is scored CVSS 8.0, which is exceptionally high for an EoP. The "Adjacent" vector is the force multiplier here.

Usually, EoP bugs are disregarded by network admins: "If they are already on the box, I'm already owned." But this allows lateral movement escalation. An attacker who lands on a receptionist's PC (VLAN 10) can potentially escalate to SYSTEM on a departmental server (VLAN 10) simply by talking to the Telephony RPC interface. They don't need RDP access; they just need RPC visibility.

Impacts include:

• Total System Compromise: SYSTEM privileges allow full control over the OS.
• Credential Dumping: Access to LSASS memory to dump hashes.
• Persistence: Installing rootkits or backdoors that survive reboots.

The remediation is straightforward but urgent. Microsoft released patches on January 13, 2026.

1. Apply the Update: Install the Monthly Rollup for your respective Windows version immediately.
2. RPC Filtering: If you cannot patch immediately, block RPC traffic (Port 135 and dynamic RPC range) between workstations. Workstations rarely need to talk to each other via RPC.
3. Disable TAPI: If your environment does not use Telephony (and let's be honest, it probably doesn't), consider disabling the service via Group Policy (sc config tapisrv start= disabled).

[!NOTE] Disabling core Windows services can have unforeseen side effects on legacy applications. Test thoroughly before disabling tapisrv in production.