Microsoft has released a critical security update for PowerShell 7.4 and Windows PowerShell 5.1. The CVE‑2026‑42946 vulnerability allows remote attackers to execute arbitrary code with SYSTEM privileges. Immediate patching and configuration changes are required.
CVE‑2026‑42946 – PowerShell Remote Code Execution
Impact
A flaw in PowerShell’s handling of Invoke-Expression permits remote code execution with SYSTEM privileges. Attackers can trigger the vulnerability over a network connection, bypassing authentication. The flaw is exploitable on Windows Server 2022, Windows 11, and all supported versions of PowerShell 7.4 and 7.3.
Technical Details
The vulnerability resides in the Invoke-Expression cmdlet’s argument parsing logic. When a specially crafted string is passed, the parser fails to escape certain control characters. This results in arbitrary code being injected into the PowerShell engine and executed with the highest available privileges.
The flaw is exploitable remotely via the PowerShell Remoting protocol (WS‑Man). An attacker can send a malicious payload over HTTP/HTTPS to a target that has PowerShell Remoting enabled. Once executed, the payload runs under the SYSTEM account, granting full control of the host.
The CVE was assigned a CVSS v3.1 score of 10.0. The attack vector is network, the privileges required are none, and the impact is complete confidentiality, integrity, and availability compromise.
Affected Products
| Product | Versions | Notes |
|---|---|---|
| PowerShell 7.4 | 7.4.0 – 7.4.2 | All builds |
| PowerShell 7.3 | 7.3.0 – 7.3.5 | All builds |
| Windows PowerShell | 5.1.19041.1 – 5.1.19041.1 | All Windows 10/11/Server 2022 |
| Windows Server | 2022, 2025, 2026 | All editions |
Mitigation Steps
- Apply the patch immediately. Download the latest cumulative update from the Microsoft Update Catalog. For PowerShell, install the KB5025183 update.
- Disable PowerShell Remoting if not required. Run
Disable-PSRemoting -Forceon the target machine. - Restrict network access to the WS‑Man endpoint. Use firewall rules to block inbound traffic on ports 5985 (HTTP) and 5986 (HTTPS) from untrusted networks.
- Enable Just‑In‑Time (JIT) access for PowerShell Remoting. Configure the WSMan service to require authentication and TLS 1.2+.
- Monitor for suspicious activity. Check the Security event log for Event ID 4103 (PowerShell execution) and Event ID 4104 (PowerShell script block logging).
- Update all dependent scripts. Verify that custom scripts do not use
Invoke-Expressionwith untrusted input.
Timeline
- 2026‑04‑12 – CVE disclosed by Microsoft Security Response Center (MSRC). Advisory published.
- 2026‑04‑15 – Initial patch released for Windows 11 and Server 2022.
- 2026‑04‑18 – Patch rolled out to PowerShell 7.4 and 7.3.
- 2026‑04‑20 – Advisory updated with mitigation guidance.
What to Do Now
- Check your environment. Run
Get-HostandGet-Module -ListAvailable PowerShellto confirm the version. - Install the update. Use
wusa /quiet /norestartfor silent installation. - Verify the fix. After reboot, run
powershell -Command "Get-Command Invoke-Expression"and ensure the cmdlet behaves normally. - Notify stakeholders. Inform IT and security teams of the patch status.
Further Resources
- Microsoft Security Advisory – CVE‑2026‑42946
- PowerShell Security Best Practices
- WSMan Security Configuration Guide
Conclusion
This vulnerability allows attackers to gain SYSTEM access without authentication. Immediate patching and network hardening are mandatory. Failure to act exposes critical infrastructure to full compromise.
Comments
Please log in or register to join the discussion