EIP-2026-117576

PRE-CVE

Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4 - Server Operator to Administrator Privilege Escalation: System Key

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-117576. PoCs published by Mnemonix.

AI-analyzed exploit summary This exploit leverages a Windows registry ACL misconfiguration to escalate privileges. A Server Operator can modify the Winlogon 'System' registry value to execute a payload (GetadmforSops.exe) that adds a user to the 'Domain Admins' group after a system reboot.

Description

Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4 - Server Operator to Administrator Privilege Escalation: System Key

Exploits (1)

exploitdb WORKING POC VERIFIED

by Mnemonix · clocalwindows

https://www.exploit-db.com/exploits/19145

View Code ZIP pw:eip

This exploit leverages a Windows registry ACL misconfiguration to escalate privileges. A Server Operator can modify the Winlogon 'System' registry value to execute a payload (GetadmforSops.exe) that adds a user to the 'Domain Admins' group after a system reboot.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows NT (pre-2000)

Auth required

Prerequisites: Server Operator privileges · Access to modify HKEY_Local_Machine registry key

MITRE ATT&CK

T1546.001 - Change Default File Association T1098 - Account Manipulation

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026