Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33694

CVE-2026-33694: Privilege Escalation Vulnerability

CVE-2026-33694 is a privilege escalation vulnerability that allows attackers to create junctions and delete files with SYSTEM privileges, potentially leading to arbitrary code execution with elevated rights.

Updated:

CVE-2026-33694 Overview

CVE-2026-33694 is a local privilege escalation vulnerability that allows an attacker to abuse Windows junctions to delete arbitrary files with NT AUTHORITY\SYSTEM privileges. The flaw is classified under CWE-59: Improper Link Resolution Before File Access (Link Following). An attacker with low-privileged local access can redirect a privileged file operation to a target of their choice. Successful exploitation can extend beyond file deletion to arbitrary code execution in the SYSTEM security context. The vulnerability is documented in Tenable security advisories TNS-2026-12 and TNS-2026-13.

Critical Impact

A local, low-privileged user can leverage a junction attack to delete arbitrary files as SYSTEM, potentially escalating to full SYSTEM-level code execution on the affected host.

Affected Products

Discovery Timeline

  • 2026-04-23 - CVE-2026-33694 published to NVD
  • 2026-04-24 - Last updated in NVD database

Technical Details for CVE-2026-33694

Vulnerability Analysis

The vulnerability is a link-following flaw [CWE-59] in a Windows component or service that runs as SYSTEM. The privileged process performs a file operation on a path that a local attacker can influence. Because the process resolves the path without validating that intermediate directories are not symbolic links or NTFS junctions, the attacker can redirect the operation to any file on the system. The result is an arbitrary file delete primitive executed with SYSTEM rights.

Arbitrary file deletion as SYSTEM is a well-known building block for full privilege escalation on modern Windows. Attackers chain the primitive with techniques that turn a delete into a write or DLL planting opportunity, ultimately yielding arbitrary code execution as SYSTEM. The flaw requires local access and user interaction with the privileged operation, but no prior administrative rights.

Root Cause

The root cause is improper link resolution before file access. The vulnerable code path opens or removes files inside a directory that an unprivileged user controls. The code does not use FILE_FLAG_OPEN_REPARSE_POINT semantics, impersonation, or path canonicalization to verify the final target. When the attacker replaces a subdirectory with an NTFS junction pointing elsewhere, the SYSTEM process follows the junction and operates on the attacker-chosen target.

Attack Vector

Exploitation is local. A standard user creates a working directory containing files the privileged process will act upon. Before the privileged operation completes, the attacker replaces a directory in the path with a junction that points to a sensitive location such as C:\Windows\System32. When the SYSTEM-level service performs the delete, it traverses the junction and removes the targeted file. The attacker repeats or chains this primitive to stage a writable DLL or configuration file that another SYSTEM process loads, yielding code execution.

No verified public proof-of-concept code is available at the time of writing. Refer to the Tenable Security Advisory TNS-2026-12 and Tenable Security Advisory TNS-2026-13 for vendor-supplied technical details.

Detection Methods for CVE-2026-33694

Indicators of Compromise

  • Creation of NTFS junctions or reparse points by non-administrative users under temporary or product-specific working directories.
  • Unexpected deletion of files in protected paths such as C:\Windows\System32 or vendor installation directories shortly after a privileged service operation.
  • Process activity from low-privileged users invoking mklink /J, CreateSymbolicLink, or DeviceIoControl with FSCTL_SET_REPARSE_POINT.

Detection Strategies

  • Monitor for reparse point creation events (Windows Event ID 4663 with WriteAttributes access on directories) followed by SYSTEM-level file deletions in unrelated paths.
  • Hunt for sequences where a non-privileged process and a SYSTEM service touch the same parent directory within a short time window.
  • Apply EDR behavioral rules that correlate junction creation in user-writable locations with subsequent privileged file operations.

Monitoring Recommendations

  • Enable Windows object access auditing on directories used by the affected product and on sensitive system paths.
  • Forward Sysmon FileCreate, FileDelete, and FileCreateStreamHash events to a centralized SIEM for correlation.
  • Track installation, update, and uninstall operations of the affected software for anomalous file deletions outside the product directory.

How to Mitigate CVE-2026-33694

Immediate Actions Required

  • Apply the vendor patches referenced in Tenable Security Advisory TNS-2026-12 and Tenable Security Advisory TNS-2026-13 as soon as they are available in your environment.
  • Restrict interactive and local logon rights on affected hosts to trusted administrators where possible.
  • Inventory systems running the affected Tenable components and prioritize patching on multi-user or shared workstations.

Patch Information

Vendor-supplied patches are described in Tenable Security Advisory TNS-2026-12 and Tenable Security Advisory TNS-2026-13. Administrators should consult these advisories for fixed versions and upgrade instructions, then validate the build number after deployment.

Workarounds

  • Remove or tightly restrict write access to working directories used by the privileged service so non-administrative users cannot place junctions there.
  • Block creation of reparse points by non-administrators using Group Policy or third-party tooling that strips the SeCreateSymbolicLinkPrivilege and audits FSCTL_SET_REPARSE_POINT.
  • Limit local logon to the affected host until patches are deployed, reducing the population of users who can stage the attack.
bash
# Audit and restrict reparse point creation on a Windows host
# Run from an elevated PowerShell prompt

# 1. Enable object access auditing for the affected directory
auditpol /set /subcategory:"File System" /success:enable /failure:enable

# 2. Inspect existing junctions under a suspected working directory
Get-ChildItem -Path "C:\ProgramData\Vendor\Working" -Recurse -Force |
    Where-Object { $_.Attributes -match "ReparsePoint" }

# 3. Remove SeCreateSymbolicLinkPrivilege from standard users via
#    secpol.msc -> Local Policies -> User Rights Assignment
#    -> "Create symbolic links"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.