Microsoft has patched vulnerability CVE-2026-20931. Check if you're vulnerable.
Microsoft has released a patch for a new vulnerability in server versions of Windows. The vulnerability was discovered by Sergey Bliznyuk, a specialist with the PT SWARM team at Positive Technologies. It allows attackers to execute arbitrary code on telephony servers, connect to corporate infrastructure, and conduct full-scale, complex cyberattacks.
Vulnerability PT-2026-2734 (CVE-2026-20931) received a high severity rating of 8.0 on the CVSS 3.1 scale. It disables the TapiSrv phone service, which is preinstalled in Windows and is responsible for communication with telephone networks, including landlines, modems, and VoIP. Thirty-five operating system versions were affected, from Windows Server 2008 to Windows Server 2025.
Due to the vulnerability, a domain account was added to the attacker's account, limiting privileges and access to the company's local network. Furthermore, the telephony service must be activated in server mode, which is rare. By default, the Windows service is disabled after installation and requires additional configuration by the administrator. The vulnerability poses no threat to home users.
However, for organizations where the service is running in an insecure configuration, the consequences could be serious. Attackers could escalate their privileges in the corporate domain to maximum levels, encrypt or irreversibly exfiltrate sensitive information, and steal personal data of employees and clients or information containing trade secrets. Windows still accounts for 99% of the infrastructure of Russian companies, while government agencies account for 50%.
Microsoft has already published patches. Companies that are unable to promptly install the patches recommend enabling the telephony service in server mode if it is not in use.
Positive Technologies specialists regularly find vulnerabilities in Microsoft products and help exploit them. Positive Technologies has been collaborating with the company since 2012, and during this time, 12 security issues have been jointly fixed. You can track current vulnerabilities on the dbugs portal.
Microsoft has released a patch for a new vulnerability in server versions of Windows. The vulnerability was discovered by Sergey Bliznyuk, a specialist with the PT SWARM team at Positive Technologies. It allows attackers to execute arbitrary code on telephony servers, connect to corporate infrastructure, and conduct full-scale, complex cyberattacks.
Vulnerability PT-2026-2734 (CVE-2026-20931) received a high severity rating of 8.0 on the CVSS 3.1 scale. It disables the TapiSrv phone service, which is preinstalled in Windows and is responsible for communication with telephone networks, including landlines, modems, and VoIP. Thirty-five operating system versions were affected, from Windows Server 2008 to Windows Server 2025.
Due to the vulnerability, a domain account was added to the attacker's account, limiting privileges and access to the company's local network. Furthermore, the telephony service must be activated in server mode, which is rare. By default, the Windows service is disabled after installation and requires additional configuration by the administrator. The vulnerability poses no threat to home users.
However, for organizations where the service is running in an insecure configuration, the consequences could be serious. Attackers could escalate their privileges in the corporate domain to maximum levels, encrypt or irreversibly exfiltrate sensitive information, and steal personal data of employees and clients or information containing trade secrets. Windows still accounts for 99% of the infrastructure of Russian companies, while government agencies account for 50%.
Microsoft has already published patches. Companies that are unable to promptly install the patches recommend enabling the telephony service in server mode if it is not in use.
Positive Technologies specialists regularly find vulnerabilities in Microsoft products and help exploit them. Positive Technologies has been collaborating with the company since 2012, and during this time, 12 security issues have been jointly fixed. You can track current vulnerabilities on the dbugs portal.
