#Vulnerabilities

Urgent Alert: CVE‑2026‑9149 Exploitation in Microsoft Windows 10/11 Requires Immediate Patching

Vulnerabilities Reporter
2 min read

A critical remote code execution flaw in Windows 10 and 11 allows attackers to run arbitrary code with SYSTEM privileges. The vulnerability, identified as CVE‑2026‑9149, is rated CVSS 9.8 and affects all recent builds. Microsoft released a security update on 2026‑05‑15. Organizations must apply the patch, verify installation, and monitor for anomalous activity.

CVE‑2026‑9149 – Remote Code Execution in Windows 10/11

Impact

A single unauthenticated network request can execute arbitrary code with SYSTEM rights on any vulnerable Windows 10 or Windows 11 machine. Attackers can install malware, exfiltrate data, or pivot to other hosts.

Affected Versions

  • Windows 10 Version 22H2 and earlier
  • Windows 11 Version 22H2 and earlier
  • All builds prior to KB5029955 (released 2026‑05‑15)

CVSS Score

  • Base Score: 9.8 (Critical)
  • Attack Vector: Network
  • Privileges Required: None
  • User Interaction: None

Technical Details

The flaw resides in the Windows Authentication Service (WAS). A malformed NTLM challenge response bypasses integrity checks, allowing an attacker to inject a crafted packet that the service processes as a privileged command. The service then executes the payload under the SYSTEM account.

The vulnerability exploits a missing bounds check in the NtLmAuthenticate routine. When the routine parses the LmChallengeResponse field, it incorrectly assumes the buffer length matches the declared size. An attacker can send a packet with a larger buffer, causing a heap overflow that overwrites the return address. The overwritten address points to attacker-controlled shellcode, which the kernel executes with SYSTEM privileges.

Example Attack Flow

  1. Attacker sends a crafted NTLM challenge response to the target.
  2. WAS processes the response and triggers the overflow.
  3. Shellcode executes, granting SYSTEM access.
  4. Attacker installs persistence mechanisms.

Mitigation Steps

  1. Apply the patch: Download and install the update from the Microsoft Update Catalog or enable automatic updates.
  2. Verify installation: Run wmic qfe list brief /format:table and confirm KB5029955 is present.
  3. Restrict NTLM traffic: Configure Group Policy to disable NTLM where possible.
    • Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level
  4. Monitor logs: Watch for Event ID 4624 with Logon Type 10 and Event ID 4625 failures indicating failed authentication attempts.
  5. Implement network segmentation: Isolate critical servers from general traffic.

Timeline

  • 2026‑05‑01: CVE‑2026‑9149 disclosed by Microsoft.
  • 2026‑05‑05: Advisory released, indicating critical severity.
  • 2026‑05‑15: Security update KB5029955 deployed.
  • 2026‑05‑20: Microsoft recommends immediate patching.

Additional Resources

Bottom Line

This flaw grants attackers full control over vulnerable Windows systems. Apply the patch without delay, verify installation, and harden your environment against NTLM-based attacks. Failure to do so exposes your organization to immediate compromise.

#CVE-2026-9149#Windows#Remote Code Execution#NTLM#Patch

Comments

Loading comments...
Back to Home