Cyber Resilience

CVE-2026-0386

High

Published: 13 January 2026

Published
13 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 15.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0386 is a high-severity Improper Access Control (CWE-284) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0386 is an improper access control vulnerability in Windows Deployment Services. Published on 2026-01-13T18:16:06.440, it carries a CVSS v3.1 base score of 7.5 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-284. The issue enables an unauthorized attacker to execute code over an adjacent network due to flawed access controls in the affected component.

Attackers on an adjacent network can exploit this vulnerability without requiring user privileges or interaction, though exploitation demands high complexity. No authentication is needed, and successful attacks allow arbitrary code execution, leading to high impacts on confidentiality, integrity, and availability within the unchanged scope.

Microsoft provides detailed guidance on patches and mitigations in its update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0386.

EU & UK References

Vulnerability details

Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Improper access control in Windows Deployment Services directly enables remote code execution via exploitation of the remote service over an adjacent network.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-49657Same product: Microsoft Windows Server 2008
CVE-2025-49676Same product: Microsoft Windows Server 2008
CVE-2025-21297Same product: Microsoft Windows Server 2008
CVE-2025-49757Same product: Microsoft Windows Server 2008
CVE-2025-49688Same product: Microsoft Windows Server 2012
CVE-2026-25172Same product: Microsoft Windows Server 2012
CVE-2026-26183Same product: Microsoft Windows Server 2012
CVE-2026-41089Same product: Microsoft Windows Server 2012
CVE-2025-24045Same product: Microsoft Windows Server 2012
CVE-2025-48824Same product: Microsoft Windows Server 2008

Affected Assets

microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.8783
microsoft
windows server 2019
≤ 10.0.17763.8276
microsoft
windows server 2022
≤ 10.0.20348.4648
microsoft
windows server 2022 23h2
≤ 10.0.25398.2092
microsoft
windows server 2025
≤ 10.0.26100.32230

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations to mitigate improper access control in Windows Deployment Services, preventing unauthorized adjacent network attackers from executing code.

prevent

Requires timely remediation of the identified flaw in Windows Deployment Services, directly addressing the improper access control vulnerability through patching as provided by Microsoft.

prevent

Monitors and controls communications at system boundaries to restrict unauthorized adjacent network access to the vulnerable Windows Deployment Services component.

References