CVE-2026-0386 · Windows Deployment Services Remote Code Execution Vulnerability

Are there additional steps I need to take to be protected from this vulnerability? Admins should take the following steps to be protected from CVE-2026-0386: Audit existing WDS usage and identify hands-free deployments. Opt in for protection by configuring the registry settings described in: Windows Deployment Services (WDS) Hands-Free Deployment Hardening Guidance. This will provide immediate protection. This security protection will be enabled by default in a future security update release and no additional administrator action will be required. How is Microsoft addressing this vulnerability? To address this vulnerability, by default the hands-free deployment feature will not be supported beginning with a security update in a future release in mid-2026. Why is the WDS Unattended Installation feature being deprecated? The legacy WDS workflow transmits unattend.xml over unauthenticated RPC, exposing sensitive credentials during PXE boot. This creates a security risk, including potential machine-in-the-middle (MITM) attacks. To strengthen security posture, Microsoft is enforcing authenticated RPC by default and removing the insecure workflow. Isn’t using WDS within a network-isolat...

Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network.

Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This is called a machine-in-the-middle (MITM) attack.

According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability? An authenticated attacker could exploit this vulnerability with LAN access.