Microsoft warns of a critical security flaw (CVE-2026-0904) in multiple Windows versions enabling unauthenticated attackers to execute arbitrary code remotely.
Microsoft has issued an urgent security advisory for CVE-2026-0904, a critical vulnerability in Windows Remote Procedure Call (RPC) services. This flaw enables unauthenticated attackers to remotely execute malicious code on affected systems without user interaction. Successful exploitation could lead to complete system compromise.
Affected Products and Versions
- Windows 10 versions 22H2 and earlier
- Windows 11 versions 23H2 and earlier
- Windows Server 2022
- Windows Server 2019 Systems without recent security updates are vulnerable. Microsoft confirms no workarounds exist.
Technical Severity
CVSS v3.1 Score: 9.8 (Critical) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H This network-based vulnerability requires no privileges or user interaction. Attack complexity is low, making exploitation highly probable.
Mitigation Requirements
Apply Microsoft's security updates immediately:
- Install KB5034441 for Windows 10 via Windows Update
- Install KB5034440 for Windows 11 and Server 2022
- Verify update installation with
winvercommand System administrators should prioritize patching internet-facing Windows servers and endpoints. Microsoft Defender for Endpoint detects exploitation attempts.
Timeline
- Vulnerability discovered: 2026-01-15 by Microsoft Threat Intelligence
- Patch released: 2026-02-13 (Patch Tuesday)
- No known active exploits currently
Microsoft's Security Update Guide provides detection and deployment tools. Unpatched systems must be considered at immediate risk.
Comments
Please log in or register to join the discussion