Microsoft has identified a critical vulnerability affecting multiple products that could allow remote code execution. Organizations must apply patches immediately.
Microsoft has released security updates addressing a critical vulnerability affecting multiple products. The vulnerability, tracked as CVE-2026-31605, carries a CVSS score of 9.8 and could allow attackers to execute arbitrary code with system privileges.
Affected Products:
- Windows 10 (versions 21H2, 22H2)
- Windows 11 (version 23H2)
- Microsoft Office 2021
- Microsoft 365 Apps for Enterprise
- Azure DevOps Server 2022
The vulnerability exists in the way Microsoft Windows handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system.
Microsoft has confirmed that this vulnerability is being exploited in the wild. Exploitation is limited in scope, but organizations should treat this as critical due to the potential impact.
Mitigation Steps:
- Apply the security updates immediately
- For systems that cannot be patched immediately, implement the workarounds:
- Disable the affected services via Group Policy
- Implement network segmentation to limit access to vulnerable systems
- Monitor for suspicious activity related to exploitation attempts
Timeline:
- Release Date: January 9, 2026
- Next Security Tuesday: February 13, 2026
- Support for affected versions will continue until the next monthly security release
For detailed information about the vulnerability, refer to the Microsoft Security Update Guide. Additional information is available in the Microsoft Security Response Center blog.
Organizations should prioritize patching systems exposed to the internet. The vulnerability can be exploited without authentication, making internet-facing systems particularly vulnerable.
Microsoft has not provided any indication of a known workaround beyond the temporary measures mentioned. Full resolution requires installation of the security updates.
Comments
Please log in or register to join the discussion