Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionCVE.org
Improper input validation in Windows Server Update Service allows an unauthorized attacker to perform tampering over a network.
AnalysisAI
Windows Server Update Service (WSUS) fails to properly validate network inputs, allowing unauthenticated remote attackers to cause denial of service across all Windows Server versions from 2012 through 2025. The vulnerability (CVSS 7.5) enables network-based tampering with high availability impact (AV:N/AC:L/PR:N/UI:N/A:H), though confidentiality and integrity remain unaffected. Patch available per vendor advisory; no public exploit identified at time of analysis. The Authentication Bypass tag and PR:N vector confirm attackers require no credentials, making internet-exposed WSUS servers particularly vulnerable.
Technical ContextAI
Windows Server Update Service (WSUS) is Microsoft's enterprise patch management solution that distributes Windows updates to organizational networks. This vulnerability stems from CWE-20 (Improper Input Validation) in WSUS's network input handling mechanism. The affected component fails to sanitize or validate attacker-supplied data received over the network before processing it, allowing malicious input to trigger tampering conditions. The CVSS vector shows network-accessible attack surface (AV:N) with low complexity (AC:L), indicating the input validation flaw is straightforward to exploit without specialized conditions. CPE data identifies WSUS implementations across Windows Server 2012 (builds 6.2.9200.x), Server 2012 R2 (6.3.9600.x), Server 2016 (10.0.14393.x), Server 2019 (10.0.17763.x), Server 2022 (10.0.20348.x and 10.0.25398.x), and Server 2025 (10.0.26100.x) as vulnerable, affecting both full and Server Core installation modes. The improper validation likely occurs in WSUS's metadata processing, synchronization protocols, or client communication handlers where external network data interfaces with internal service logic.
RemediationAI
Apply Microsoft's security updates immediately to patch the input validation flaw in WSUS. Fixed versions are Windows Server 2012 build 6.2.9200.26026 or later, Windows Server 2012 R2 build 6.3.9600.23132 or later, Windows Server 2016 build 10.0.14393.9060 or later, Windows Server 2019 build 10.0.17763.8644 or later, Windows Server 2022 build 10.0.20348.5020 or later, Windows Server 2022 23H2 Edition build 10.0.25398.2274 or later, and Windows Server 2025 build 10.0.26100.32690 or later. Download patches through Microsoft Update Catalog or Windows Update for Business. As a temporary mitigation for organizations unable to immediately patch, restrict network access to WSUS servers using firewall rules to allow only trusted internal IP ranges, and ensure WSUS is not directly exposed to the internet. Monitor WSUS service availability and network traffic for anomalous connection patterns. Full remediation guidance available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26154.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22376