Microsoft has identified a critical security vulnerability (CVE-2026-21519) with a CVSS score of 9.8, affecting multiple Windows versions and Office products. Immediate patching required.
Microsoft has issued an urgent security advisory regarding CVE-2026-21519, a critical vulnerability affecting multiple Microsoft products with a CVSS v3.1 base score of 9.8 (Critical). The vulnerability allows remote code execution without authentication, posing severe risks to enterprise and consumer systems.
The flaw exists in the Windows Remote Procedure Call (RPC) service, enabling attackers to execute arbitrary code on vulnerable systems. Microsoft reports active exploitation attempts in the wild, making immediate action essential.
Affected Products and Versions
- Windows 10 (all versions prior to KB5025239)
- Windows 11 (all versions prior to KB5025240)
- Windows Server 2019 and 2022
- Microsoft Office 2019 and Microsoft 365 Apps for enterprise
- Exchange Server 2019 and 2022
CVSS Metrics
- Base Score: 9.8 (Critical)
- Attack Vector: Network (AV:N)
- Attack Complexity: Low (AC:L)
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
- Impact: Complete compromise of confidentiality, integrity, and availability
Mitigation Steps
- Apply security updates immediately through Windows Update
- For enterprise environments, deploy via WSUS or Configuration Manager
- Enable automatic updates if not already configured
- Monitor network traffic for suspicious RPC activity
- Consider temporarily disabling RPC services if patching cannot be performed immediately
Timeline
- Vulnerability discovered: March 15, 2026
- Microsoft notified: March 16, 2026
- Patch development completed: March 20, 2026
- Public disclosure: March 21, 2026
- First exploitation reports: March 22, 2026
Additional Resources
Microsoft recommends organizations prioritize this update above all others and conduct immediate vulnerability assessments. The company has observed sophisticated threat actors incorporating this exploit into their toolkits, targeting both unpatched systems and attempting to bypass existing security controls.
Organizations unable to patch immediately should implement network segmentation and monitor for indicators of compromise, including unusual RPC traffic patterns and unexpected system behavior.
Comments
Please log in or register to join the discussion