Microsoft addressed a critical security flaw (CVSS 9.1) affecting Windows Server 2025 and Azure Stack HCI versions 23H2 through 25H1 that could enable unauthenticated remote code execution.
Microsoft has released emergency patches for a critical remote code execution vulnerability (CVE-2026-21532) impacting multiple server products. The flaw received a CVSS v3.1 score of 9.1, indicating critical severity.
Affected Products:
- Windows Server 2025 (all editions)
- Azure Stack HCI versions 23H2 through 25H1
- Windows Admin Center build 2310 through 2405
Vulnerability Details: The vulnerability exists in the Remote Management Service (RMS) component. Attackers can exploit it by sending specially crafted RPC packets to TCP port 47001. Successful exploitation grants SYSTEM privileges without authentication. Microsoft observed limited targeted attacks prior to patch release.
Mitigation Steps:
- Apply updates immediately via Windows Update
- For systems that cannot patch immediately:
- Block TCP port 47001 at network perimeter
- Disable Remote Management Service via Group Policy
- Monitor for unexpected process creation from svchost.exe
Patch Information:
- KB5024567 for Windows Server 2025
- KB5024568 for Azure Stack HCI
- KB5024569 for Windows Admin Center
Timeline:
- 2026-01-15: Vulnerability reported to MSRC
- 2026-02-10: Patch development completed
- 2026-02-15: Security updates released
Microsoft recommends prioritizing patching of internet-facing servers. The Security Update Guide provides additional technical details. System administrators should review the MSRC advisory for complete mitigation guidance.
Detection: Microsoft Defender signatures 1.385.2678 and later detect exploitation attempts. Azure Sentinel users can import detection rules from the Microsoft Security GitHub.
Comments
Please log in or register to join the discussion