Microsoft has released critical security updates for multiple products addressing a remote code execution vulnerability with CVSS 9.8 severity rating.
Microsoft has issued critical security updates for multiple products addressing CVE-2026-45585, a remote code execution vulnerability with a CVSS score of 9.8. The vulnerability affects Windows operating systems, Microsoft Office, and Azure services.
Attackers could exploit this vulnerability without authentication to execute arbitrary code on affected systems. Successful exploitation could lead to complete system compromise. The vulnerability exists in how Microsoft software handles specially crafted files. When a user opens a malicious file, the vulnerability could allow remote code execution with the same privileges as the current user.
Microsoft has released security updates on Patch Tuesday, December 12, 2026. Organizations should prioritize applying these updates immediately.
Affected products include:
- Windows 10 (versions 1903, 1909, 2004, 20H2, 21H1, 21H2)
- Windows 11 (21H2, 22H2)
- Microsoft Office 2019, 2021, and Microsoft 365
- Azure Active Directory
- Azure DevOps Server
Mitigation steps:
- Apply the security updates immediately from the Microsoft Security Update Guide
- For systems unable to be patched immediately, implement workarounds:
- Disable the affected components in Microsoft Office
- Block access to untrusted file sources
- Use application control policies to prevent execution of untrusted applications
- Monitor for exploitation attempts using Microsoft Defender for Endpoint
Microsoft has not observed any active exploitation of this vulnerability in the wild. However, the severity rating indicates that exploitation could occur once details are publicly available.
Organizations should review their patch management processes to ensure timely application of security updates. The vulnerability was discovered by Microsoft's internal security team and reported through their MSRC program.
Additional resources:
- Microsoft Security Advisory
- Patch Tuesday documentation
- CISA KEV Catalog for potential inclusion
Comments
Please log in or register to join the discussion