• News
  • Positive Technologies assists in fixing Windows Server vulnerability posing risk to enterprise environments
News

Positive Technologies assists in fixing Windows Server vulnerability posing risk to enterprise environments

Microsoft has released a patch addressing a zero-day vulnerability discovered by PT SWARM researcher Sergey Bliznyuk in Windows Server. If exploited, the vulnerability could allow arbitrary code execution on telephony servers and enable lateral movement across the network, providing a foothold for large-scale, sophisticated attacks. Successful exploitation could compromise internal systems, enable theft of confidential data, and disrupt business operations at affected organizations.

Windows client editions power desktop PCs, workstations, tablets, and laptops, while Windows Server is built to run background services and applications. Organizations rely on Windows Server for file storage, databases, virtualization, Active Directory Domain Services, and secure remote access. In Russia, Windows across both client and server deployments continues to account for up to 99% of enterprise environments and up to 50% of government environments.
 

The PT-2026-27341 vulnerability (CVE-2026-20931) in the Windows Telephony service (TapiSrv) has a high severity rating with a CVSS v3.1 score of 8.0. TapiSrv is preinstalled across both Windows client and Windows Server families and enables applications to interface with telephony systems such as landline phones, modems, and VoIP2 platforms. The vulnerability affects 35 operating system versions,3 including current releases (Windows Server 2025, Windows Server 2022, and Windows Server 2019), as well as older versions (Windows Server 2008 and Windows Server 2012). Microsoft was notified through responsible disclosure and has published security updates. For organizations that cannot immediately apply patches, Positive Technologies recommends promptly disabling server mode where the telephony service is not actually used.

Successful exploitation would require the attacker to acquire a low-privileged domain account, for example by compromising any employee's credentials, and to gain initial access to the organization's internal network. The attack would also require the Telephony service to be unpatched and running in server mode in the target environment.

TapiSrv is typically enabled only in corporate networks. Home devices are not at risk, even if the service appears in a user's program list, the Positive Technologies researcher notes. Server mode is also rarely used today. Although Microsoft's list of affected operating systems ranges from Windows Server 2008 through 2025, TapiSrv is disabled by default after installation and must be explicitly configured by an administrator to run in server mode.

1 The security vulnerability has been registered on the dbugs portal, which aggregates data on vulnerabilities in software and hardware from vendors around the world.

2 Technology for delivering voice calls over IP networks, rather than through traditional telephone lines.

3 For the complete list of affected systems, please refer to the Microsoft security advisory.

"Organizations running the service in an insecure configuration may become easy targets unless they promptly apply Microsoft's updates or implement compensating controls. In the best case, exploitation would only cause a telephony outage. In the worst case, attackers could cause significant financial and reputational harm to organizations. Prior to the fix, the vulnerability could enable persistence and lateral movement within the server segment of an internal network. From there, an attacker could escalate to domain-wide privileges and potentially encrypt or irreversibly delete critical data, exfiltrate employee or customer personal information, and steal trade secrets, that is, any digital assets the company relies on."

Sergey Bliznyuk
Sergey BliznyukSenior Penetration Testing Specialist at Positive Technologies

Positive Technologies researchers frequently identify security flaws in Microsoft solutions and assist in fixing them. Positive Technologies has worked with Microsoft since 2012, and together they have resolved 12 security issues to date.

To identify attacks that could leverage similar vulnerabilities, organizations should deploy a vulnerability management platform such as MaxPatrol VM. Advanced NTA and NDR solutions like PT Network Attack Discovery detect exploitation attempts, while NGFW solutions such as PT NGFW block them. To spot and contain post-exploitation activity, use MaxPatrol SIEM together with an endpoint detection and response solution such as MaxPatrol EDR. When malicious activity is detected, these products alert MaxPatrol SIEM and stop the attack from progressing.

For up-to-date security information, visit the dbugs portal, which aggregates vulnerability data and vendor recommendations for software and hardware from vendors around the world.