BLUF

 CVE-2026-2005 is a locally exploitable information disclosure vulnerability in the Windows DWM component that an authenticated attacker can leverage to read specific memory addresses. It has been actively exploited in the wild as a zero-day vulnerability.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by active exploitation of chained Microsoft Windows DWM vulnerabilities enabling information disclosure and local privilege escalation:

·       Low-end total cost: $250K – $750K

o   (single endpoint exposure, rapid detection, no confirmed lateral movement)

·       Typical expected range: $1.2M – $3.5M

o   (multiple affected workstations, partial privilege escalation, IR-led remediation)

·       Upper-bound realistic scenarios: $5M – $9M

o   (enterprise-wide exposure window, credential reuse risk, extended response and audits)

Key Cost Drivers

·       Number of endpoints requiring forensic review and reimaging

·       Time-to-detection before patching and containment

·       Evidence of credential exposure or secondary privilege escalation

·       External incident response and legal advisory hours

·       Regulatory reporting thresholds triggered by data access risk

Targeted Sectors

·       No specific sector targeting has been publicly identified in open source information

Potential Targeted Countries

·       Global

Date of First Reported Activity

·       January 13, 2026

Date of Last Reported Activity Update

·       January 13, 2026

CVE-2026-20805

Desktop Window Manager Information Disclosure Vulnerability.

CVSS 3.1 Vector

·       (5.5) AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Nessus ID

·       This is not in Tenable

Is CVE-2026-20805 on the KEV list

·       Yes

What is the CISA patch by date?

·       February 03, 2026

URL to patch information for CVE-2026-20805

·       hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20805

CVE-2026-20871

Privilege Escalation vulnerability in DWM

CVSS 3.1 Vector

·       (7.8) AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Nessus ID

·       This is not in Tenable

Is CVE-2026-20805 on the KEV list

·       No

What is the CISA patch by date?

·       CVE-2026-20871 is not on the KEV list at this time.

URL to patch information for CVE-2026-20871

·       hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20871

APT Names

·       No APT groups publicly attributed at this time.

Associated Criminal Organization Names

·       No publicly crime groups attributed at this time.

IOCs

Process Anomalies

Monitor for unusual child processes spawning from dwm.exe or crashes of the Desktop Window Manager service that do not result from hardware driver failures.

Privilege Escalation Attempts

Information disclosure vulnerabilities are frequently used to leak memory addresses to bypass Address Space Layout Randomization (ASLR), facilitating further privilege escalation.

System Event Logs

Check for frequent re-initialization of the Desktop Window Manager service in the Windows System Log (Event ID 9009), which may indicate exploitation attempts or service instability.

Tools used in campaign

·       No specific tools have been publicly disclosed at this time.

TTPs

Initial Access & Execution

·       T1068 Exploitation for Privilege Escalation

·       Adversaries use this vulnerability to bypass memory protections within the Desktop Window Manager to access sensitive data.

·       T1203: Exploitation for Client Execution

·       Because DWM is a core Windows service, exploitation often occurs through specifically crafted application interactions that trigger the vulnerability during graphical rendering.

Discovery & Information Disclosure

·       T1082: System Information Discovery

·       The primary impact of this CVE is information disclosure. Attackers exploit it to leak memory contents, which can include cryptographic keys, credentials, or pointers needed to bypass other security features like ASLR (Address Space Layout Randomization).

·       T1012: Query Registry

·       Attackers may use this technique in conjunction with the vulnerability to identify system versions and configurations that are specifically vulnerable to this exploit.

Privilege Escalation

·       T1055: Process Injection

Malware Names

·       No specific malware name has been associated CVE-2026-20029 at this time.

Malware Sample

·       Not applicable at this time

Suggested rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

Detect potential XXE payloads in file uploads to ISE

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco ISE XXE Information Disclosure (CVE-2026-20029)"; flow:established,to_server; content:"POST"; http_method; content:"/admin/"; http_uri; content:"<!ENTITY"; http_client_body; content:"SYSTEM"; http_client_body; reference:cve,2026-20029; classtype:web-application-attack; sid:1000001; rev:1;)

SentinelOne

Monitor for the web server process (e.g., tomcat or java) accessing sensitive system files like /etc/passwd.

ProcessName = "java" AND (FilePath ~= "/etc/.*" OR FilePath ~= "/root/.*") AND User = "iseadmin"

Monitor for abnormal file writes: Look for XML files uploaded to temp or licensing directories by administrative accounts.

Splunk

Search for HTTP 200/OK responses to licensing-related endpoints that include large or unusual data transfers immediately following a file upload.

index=cisco_ise sourcetype="cisco:ise:syslog"

| search url="*/admin/licensing*" http_method="POST"

| stats count by src_ip, user, url

If OS logs are ingested via a Splunk Universal Forwarder on the ISE appliance, look for access to sensitive paths triggered by the web server service account.

splunk

index=os_logs (path="/etc/passwd" OR path="/etc/shadow")

| where process_name="java" OR process_name="httpd"

| table _time, host, user, path, process_name

Delivery Method

·       This is a part of a chained attack. 

o   The access point is not known

Email Samples

·       Not applicable, as it's a local exploitation vulnerability.

References

NVD

·       hxxps://nvd.nist.gov/vuln/detail/CVE-2026-20805

·       hxxps://nvd.nist.gov/vuln/detail/CVE-2026-20871

Microsoft

·       hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20805

·       hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20871

CISA

hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20805