Microsoft confirms active exploitation of CVE-2026-21259 affecting multiple Windows versions. Attackers bypass authentication via crafted network packets.
Microsoft has issued an emergency security advisory for CVE-2026-21259, a critical remote code execution vulnerability actively exploited in the wild. This flaw affects all supported Windows Server editions and Windows 11/10 workstations. Attackers can trigger system compromises without authentication by sending malicious RPC packets to exposed systems.
The vulnerability carries a CVSS v3.1 score of 9.8 (Critical) due to low attack complexity and network-based exploit vectors. Microsoft's Security Response Center confirms observed exploitation attempts targeting financial and healthcare organizations. Unpatched systems allow complete takeover through specially crafted network requests.
Affected products include:
- Windows Server 2022 (all versions)
- Windows Server 2019
- Windows 11 versions 22H2/23H2
- Windows 10 versions 21H2/22H2
Immediate mitigation requires installing the July 2026 cumulative update via Windows Update or the Microsoft Update Catalog. Administrators should block TCP port 135 at network boundaries and enable Windows Defender Attack Surface Reduction rules. Microsoft recommends prioritizing patch deployment within 24 hours due to active exploitation.
Timeline:
- June 15, 2026: Vulnerability reported through Microsoft Security Vulnerability Research program
- July 8, 2026: Patch released in out-of-band security update
- July 9, 2026: Microsoft confirms in-the-wild attacks
Technical analysis reveals the flaw resides in the Remote Procedure Call runtime's improper validation of NDR data structures. Successful exploitation enables arbitrary code execution at SYSTEM privilege. Microsoft's Security Update Guide provides detailed mitigation guidance and IoC detection scripts.
Comments
Please log in or register to join the discussion