Windows 11 bug disclosed by researcher unhappy with Microsoft bug bounties

A Standard user can gain SYSTEM access on a PC if they exploit a newly disclosed Windows bug.

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

What you need to know

What you need to know

A researcher publicly disclosed a zero-day local privilege elevation vulnerability in Windows 11, Windows 10, and Windows Server. The vulnerability allows a user with Standard privileges to open the command prompt with SYSTEM privileges. This access could be leveraged to spread malicious content throughout a network.

The vulnerability was reportedly publicly disclosed due to frustration with Microsoft’s decreasing payouts for bug bounties. The researcher, Abdelhamid Naceri, toldBleeping Computer, “Microsoft bounties [have] been trashed since April 2020, I really wouldn’t do that if MSFT didn’t take the decision to downgrade those bounties.”

This is a common complaint among bug hunters. Microsoft’s payouts through itsbug bounty programhave gone down over the years in many instances.

Under Microsoft’s new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000 💀Under Microsoft’s new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000 💀— MalwareTech (@MalwareTechBlog)July 27, 2020July 27, 2020

Microsoft fixed an issue with its November 2021 Patch Tuesday updates, but a related vulnerability remained. Naceri found a bypass to the patch and a more powerful vulnerability. Naceri published a proof-of-concept exploit onGitHub. The GitHub page also explains the vulnerability in more depth.

Bleeping Computer tested the exploit, which proved to be able to gain SYSTEM privileges while on an account with Standard privileges.

A fix for this vulnerability is likely on the way from Microsoft, though the company has not commented on it at this point.

Get the Windows Central Newsletter

Get the Windows Central Newsletter

All the latest news, reviews, and guides for Windows and Xbox diehards.

Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He’s covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean’s journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_.