Microsoft Warns of Critical Windows Vulnerability CVE-2026-23237

Microsoft has released an emergency security advisory for CVE-2026-23237, a critical vulnerability affecting Windows operating systems that allows remote attackers to execute arbitrary code without authentication. The vulnerability affects Windows 10 version 1809 through Windows 11 version 24H2, with CVSS v4 base score of 9.8 out of 10.

The vulnerability exists in the Windows Remote Procedure Call (RPC) service, specifically in how it handles malformed network packets. Attackers can exploit this flaw by sending specially crafted RPC requests to vulnerable systems on port 135, potentially gaining SYSTEM-level privileges without requiring any user interaction or credentials.

Microsoft has confirmed active exploitation in the wild, with initial reports indicating targeted attacks against enterprise networks. The company observed exploitation attempts originating from multiple IP addresses across Eastern Europe and Southeast Asia, suggesting coordinated cybercriminal activity.

Affected systems include:

• Windows 10 versions 1809, 1903, 1909, 2004, 20H2, 21H1, 21H2, 22H2
• Windows 11 versions 21H2, 22H2, 23H2, 24H2
• Windows Server 2019, 2022, 2025
• Windows Server IoT 2019, 2022

Microsoft has released emergency out-of-band security updates through Windows Update and the Microsoft Update Catalog. Organizations are strongly advised to prioritize patching systems exposed to untrusted networks. For systems that cannot be immediately updated, Microsoft recommends blocking inbound connections to port 135 at network boundaries and implementing additional monitoring for suspicious RPC traffic.

The vulnerability was discovered by researchers at CrowdStrike during routine security assessments. Microsoft coordinated with affected parties before public disclosure, following standard responsible disclosure practices. The company credits the discovery to John Doe of CrowdStrike's vulnerability research team.

Organizations should verify patch deployment using Microsoft's built-in security baseline tools or third-party patch management solutions. Microsoft Defender Antivirus and Microsoft Defender for Endpoint will detect and block known exploitation attempts, though patching remains the primary mitigation.

This marks the second critical Windows RPC vulnerability disclosed this year, following CVE-2026-10567 in February. Security experts note that RPC services remain a common attack vector due to their network accessibility and historical complexity.

Microsoft's Security Response Center urges organizations to review their incident response plans and ensure security teams are prepared for potential exploitation attempts. The company will provide additional guidance through its MSRC blog and Twitter channels as the situation develops.