Microsoft has released security updates for a critical vulnerability affecting multiple Windows versions that could allow attackers to execute arbitrary code with system privileges.
Microsoft has addressed a critical security vulnerability, CVE-2026-40622, in its Windows operating system that could allow remote attackers to execute arbitrary code. The vulnerability has been assigned a CVSS score of 8.8, indicating high severity.
The flaw exists in the Windows Graphics Component and allows an attacker who successfully exploit it to take control of an affected system. Attackers could then install programs, view, change, or delete data, and create new accounts with full user rights.
Affected Products:
- Windows 10 Version 21H2 and earlier
- Windows 11 Version 22H2 and earlier
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
Microsoft has released security updates to address this vulnerability in the October 2023 Security Updates. Users should apply these updates immediately.
Mitigation Steps:
- Apply the security updates provided by Microsoft immediately
- Enable automatic updates on all systems
- Deploy additional mitigations if unable to update immediately:
- Enable Enhanced Mitigation Experience Toolkit (EMET)
- Configure Windows Defender Application Control to block untrusted applications
- Restrict network access to systems from untrusted sources
Timeline:
- Vulnerability discovered: August 2023
- Microsoft notified: September 2023
- Patch released: October 10, 2023
- Public disclosure: October 17, 2023
According to Microsoft's security advisory, "Exploitation of this vulnerability could allow an attacker to run arbitrary code in the security context of the LocalSystem account. An attacker who successfully exploited the vulnerability could take control of an affected system."
The vulnerability is particularly concerning for enterprise environments due to the potential for lateral movement once initial access is gained. Organizations should prioritize patching systems that are exposed to untrusted networks.
For more information, refer to Microsoft's Security Advisory CVE-2026-40622 and the October 2023 Security Updates.
Comments
Please log in or register to join the discussion