Microsoft has issued an emergency security update for CVE-2026-28387, a critical vulnerability affecting Windows systems that could allow remote code execution without authentication.
Microsoft has released an urgent security update addressing CVE-2026-28387, a critical vulnerability in Windows operating systems that poses severe risk to enterprise and consumer environments alike.
The vulnerability affects Windows 10 version 1809 through Windows 11 version 24H2, with CVSS score of 9.8 out of 10. Attackers can exploit this flaw remotely without requiring authentication, potentially executing arbitrary code with system privileges.
Technical Details
The vulnerability exists in the Windows Remote Procedure Call (RPC) runtime library. Specifically, improper input validation in the RPC endpoint mapper allows specially crafted packets to trigger buffer overflow conditions. This overflow can corrupt memory structures and enable execution of malicious payloads.
Microsoft's security advisory confirms the vulnerability is being actively exploited in the wild. Threat actors have been observed targeting unpatched systems through network-based attacks, with initial reports indicating exploitation attempts originating from multiple IP ranges across Eastern Europe and Southeast Asia.
Affected Products
- Windows 10 (all supported versions)
- Windows 11 (all supported versions)
- Windows Server 2019 and 2022
- Windows Server 2025 (Preview builds)
- Windows IoT Core
Mitigation Steps
Administrators should immediately:
- Apply the security update released April 15, 2026
- Enable automatic updates if not already configured
- Review Windows Firewall rules to restrict unnecessary RPC traffic
- Monitor network logs for unusual RPC endpoint activity
The update can be deployed through Windows Update, WSUS, or Microsoft Endpoint Manager. Microsoft recommends prioritizing critical infrastructure and internet-facing systems.
Timeline
- April 12, 2026: Microsoft received initial vulnerability report
- April 13, 2026: Proof-of-concept code circulated on underground forums
- April 14, 2026: Microsoft confirmed active exploitation
- April 15, 2026: Emergency patch released outside normal Patch Tuesday cycle
Additional Resources
Organizations unable to immediately patch should implement network segmentation and restrict RPC access to trusted endpoints only. Microsoft has also released temporary registry-based mitigations that can reduce attack surface while updates are deployed.
This marks the third critical Windows vulnerability requiring out-of-band patching in 2026, highlighting the increasing sophistication of remote exploitation techniques targeting enterprise infrastructure.
Comments
Please log in or register to join the discussion