Описание
Windows Deployment Services Remote Code Execution Vulnerability
Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network.
FAQ
Are there additional steps I need to take to be protected from this vulnerability?
Admins should take the following steps to be protected from CVE-2026-0386:
- Audit existing WDS usage and identify hands-free deployments.
- Opt in for protection by configuring the registry settings described in: Windows Deployment Services (WDS) Hands-Free Deployment Hardening Guidance. This will provide immediate protection.
This security protection will be enabled by default in a future security update release and no additional administrator action will be required.
How is Microsoft addressing this vulnerability?
To address this vulnerability, by default the hands-free deployment feature will not be supported beginning with a security update in a future release in mid-2026.
Why is the WDS Unattended Installation feature being deprecated?
The legacy WDS workflow transmits unattend.xml over unauthenticated RPC, exposing sensitive credentials during PXE boot. This creates a security risk, including potential machine-in-the-middle (MITM) attacks. To strengthen security posture, Microsoft is enforcing authenticated RPC by default and removing the insecure workflow.
Isn’t using WDS within a network-isolated environment sufficient to mitigate this vulnerability?
Even in isolated networks, unauthenticated RPC introduces attack surfaces that can be exploited internally. Security best practices require eliminating unencrypted credential transmission and enforcing authenticated channels.
What is the impact of this change?
Hands-free deployments that rely on unauthenticated RPC will no longer work by default. Administrators can override this behavior via a registry key (See Windows Deployment Services (WDS) Hands-Free Deployment Hardening Guidance, but this is not recommended for production environments.
Are there any recommended alternative solutions?
Please see Windows Deployment Services (WDS) boot.wim support for alternate recommendations by Microsoft.
According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?
The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This is called a machine-in-the-middle (MITM) attack.
According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability?
An authenticated attacker could exploit this vulnerability with LAN access.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Windows Server 2008 for 32-bit Systems Service Pack 2 | ||
| Windows Server 2008 for x64-based Systems Service Pack 2 | ||
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | ||
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | ||
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | ||
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | ||
| Windows Server 2012 | ||
| Windows Server 2012 (Server Core installation) | ||
| Windows Server 2012 R2 | ||
| Windows Server 2012 R2 (Server Core installation) |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
EPSS
7.5 High
CVSS3
Связанные уязвимости
Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network.
Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network.
Уязвимость службы развертывания Windows Deployment Services операционных систем Windows, позволяющая нарушителю выполнить произвольный код
EPSS
7.5 High
CVSS3