Windows 11 bug disclosed by researcher unhappy with Microsoft bug bounties

Windows 11 Start Laptop Razerbook
Windows 11 Start Laptop Razerbook (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • A researcher has publicly disclosed a zero-day local privilege elevation vulnerability in Windows.
  • The researcher disclosed the vulnerability due to frustration with Microsoft's decreasing payouts for bug bounties.
  • The vulnerability allows a Windows user with Standard privileges to open the command prompt with SYSTEM privileges.

A researcher publicly disclosed a zero-day local privilege elevation vulnerability in Windows 11, Windows 10, and Windows Server. The vulnerability allows a user with Standard privileges to open the command prompt with SYSTEM privileges. This access could be leveraged to spread malicious content throughout a network.

The vulnerability was reportedly publicly disclosed due to frustration with Microsoft's decreasing payouts for bug bounties. The researcher, Abdelhamid Naceri, told Bleeping Computer, "Microsoft bounties [have] been trashed since April 2020, I really wouldn't do that if MSFT didn't take the decision to downgrade those bounties."

This is a common complaint among bug hunters. Microsoft's payouts through its bug bounty program have gone down over the years in many instances.

Latest Videos From

Microsoft fixed an issue with its November 2021 Patch Tuesday updates, but a related vulnerability remained. Naceri found a bypass to the patch and a more powerful vulnerability. Naceri published a proof-of-concept exploit on GitHub. The GitHub page also explains the vulnerability in more depth.

Bleeping Computer tested the exploit, which proved to be able to gain SYSTEM privileges while on an account with Standard privileges.

A fix for this vulnerability is likely on the way from Microsoft, though the company has not commented on it at this point.

Sean Endicott
News Writer

Sean Endicott is a News Writer at Windows Central, where he covers Windows 11, Surface hardware, Microsoft 365, AI, apps, and the broader PC ecosystem. Since joining the site in 2017, he has written well over a thousand articles across the Microsoft landscape, covering breaking news, analysis, and feature reporting.

He writes Windows Wrap, a weekly column covering the biggest stories in Windows and the PC industry, and what they mean for the platform going forward.

Before joining Windows Central full-time, Sean worked in journalism and media production after earning a First Class degree in Broadcast Journalism from Nottingham Trent University. Outside of tech, he is an award-winning American football coach based in Nottingham, England, and was named BAFCA Youth Coach of the Year in 2024.