Cyber Posture

CVE-2026-27913

High

Published: 14 April 2026

Published
14 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0010 28.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27913 is a high-severity Improper Input Validation (CWE-20) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the improper input validation (CWE-20) flaw in Windows BitLocker that enables local bypass of security features.

SI-2 Flaw Remediation good match
prevent

Ensures timely patching and remediation of the BitLocker vulnerability as detailed in Microsoft's update guide, eliminating the exploit path.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Vulnerability scanning identifies systems affected by CVE-2026-27913 for prioritized patching and mitigation.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

Bypassing BitLocker via local input validation flaw directly enables reading encrypted local files/data (T1005) and modifying protected on-disk resources (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper input validation in Windows BitLocker allows an unauthorized attacker to bypass a security feature locally.

Deeper analysisAI

CVE-2026-27913 is an improper input validation vulnerability (CWE-20) affecting Windows BitLocker. Published on 2026-04-14, it enables an unauthorized attacker to bypass a security feature locally on impacted systems. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts.

A local attacker can exploit this issue with low attack complexity, requiring no privileges, user interaction, or special conditions. Exploitation allows bypassing BitLocker's security protections, potentially granting unauthorized access to encrypted data or altering protected resources without affecting availability.

Microsoft's update guide provides details on mitigation, available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27913. Security practitioners should consult this advisory for patching instructions and workarounds.

Details

CWE(s)
CWE-20

Affected Products

microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.9060
microsoft
windows server 2019
≤ 10.0.17763.8644
microsoft
windows server 2022
≤ 10.0.20348.5020
microsoft
windows server 2022 23h2
≤ 10.0.25398.2274

CVEs Like This One

CVE-2026-26154Same product: Microsoft Windows Server 2012
CVE-2026-33826Same product: Microsoft Windows Server 2012
CVE-2026-27928Same product: Microsoft Windows Server 2016
CVE-2026-20856Same product: Microsoft Windows Server 2012
CVE-2025-54106Same product: Microsoft Windows Server 2012
CVE-2025-24045Same product: Microsoft Windows Server 2012
CVE-2025-21309Same product: Microsoft Windows Server 2012
CVE-2026-26183Same product: Microsoft Windows Server 2012
CVE-2025-59287Same product: Microsoft Windows Server 2012
CVE-2026-25172Same product: Microsoft Windows Server 2012

References