CVE-2026-0386: Windows Deployment Services Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.5)

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2026-Jan

Released

2026-01-13

EPSS Score

0.07% (percentile: 22.5%)

Description

Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network.

FAQ

Are there additional steps I need to take to be protected from this vulnerability? Admins should take the following steps to be protected from CVE-2026-0386: Audit existing WDS usage and identify hands-free deployments. Opt in for protection by configuring the registry settings described in: Windows Deployment Services (WDS) Hands-Free Deployment Hardening Guidance. This will provide immediate protection. This security protection will be enabled by default in a future security update release and no additional administrator action will be required. How is Microsoft addressing this vulnerability? To address this vulnerability, by default the hands-free deployment feature will not be supported beginning with a security update in a future release in mid-2026. Why is the WDS Unattended Installation feature being deprecated? The legacy WDS workflow transmits unattend.xml over unauthenticated RPC, exposing sensitive credentials during PXE boot. This creates a security risk, including potential machine-in-the-middle (MITM) attacks. To strengthen security posture, Microsoft is enforcing authenticated RPC by default and removing the insecure workflow. Isn’t using WDS within a network-isolated environment sufficient to mitigate this vulnerability? Even in isolated networks, unauthenticated RPC introduces attack surfaces that can be exploited internally. Security best practices require eliminating unencrypted credential transmission and enforcing authenticated channels. What is the impact of this change? Hands-free deployments that rely on unauthenticated RPC will no longer work by default. Administrators can override this behavior via a registry key (See Windows Deployment Services (WDS) Hands-Free Deployment Hardening Guidance, but this is not recommended for production environments. Are there any recommended alternative solutions? Please see Windows Deployment Services (WDS) boot.wim support for alternate recommendations by Microsoft. According to the CVSS metric, the atta

Affected Products (19)

Windows

• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows Server 2025 (Server Core installation)
• Windows Server 2022, 23H2 Edition (Server Core installation)
• Windows Server 2025
• Windows Server 2016
• Windows Server 2016 (Server Core installation)

ESU

• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)

Security Updates (11)

• 5073723
• 5073457
• 5073379
• 5073450
• 5073722
• 5073697
• 5073700
• 5073695
• 5073699
• 5073698
• 5073696

Acknowledgments

Microsoft Offensive Research and Security Engineering (MORSE) with Microsoft

Revision History

• 2026-01-13: Information published.