Windows Server Update Service (WSUS) Tampering Vulnerability

Plan PatchCVSS 7.5CVE-2026-26154Apr 14, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Improper input validation in Windows Server Update Service (WSUS) allows an unauthenticated network attacker to tamper with updates. An attacker could modify, inject, or block updates being distributed through WSUS to downstream servers. This affects Windows Server 2016, 2019, 2022, and 2025 in all editions (full and Server Core). Exploitation is assessed as less likely at this time, but the patch should be applied during normal maintenance windows.

What this means

What could happen

An attacker on your network could tamper with Windows updates being distributed through WSUS, potentially injecting malicious patches or blocking legitimate security updates from reaching your servers. This could compromise the security posture of your entire infrastructure downstream of the WSUS server.

Who's at risk

Organizations running Windows Server Update Service (WSUS) on any supported Windows Server version (2016, 2019, 2022, or 2025) need to patch. This affects both full and Server Core installations. If you are a water utility or electric utility deploying Windows-based SCADA servers, HMI systems, or engineering workstations that depend on WSUS for centralized patch management, this vulnerability directly threatens the integrity of your security updates.

How it could be exploited

An attacker with network access to your WSUS server (typically port 80 or 443 for HTTP/HTTPS) could send specially crafted input to exploit the improper input validation in the update service, allowing them to modify or inject updates without authentication. The attacker does not need special privileges or user interaction.

Prerequisites

Network access to WSUS server (port 80 or 443)
WSUS service running and reachable from attacker's network location
Unpatched Windows Server 2016, 2019, 2022, or 2025 running WSUS

remotely exploitableno authentication requiredlow complexityaffects update distribution infrastructurecould enable supply-chain style attack on patching system

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (9)

9 with fix

ProductAffected VersionsFix Status

Windows Server 2019All versionsBuild 10.0.17763.8644

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8644

Windows Server 2022All versionsBuild 10.0.20348.5020

Windows Server 2022 (Server Core installation)All versionsBuild 10.0.20348.5020

Windows Server 2025 (Server Core installation)All versionsBuild 10.0.26100.32690

Windows Server 2022, 23H2 Edition (Server Core installation)All versionsBuild 10.0.25398.2274

Windows Server 2025All versionsBuild 10.0.26100.32690

Windows Server 2016All versionsBuild 10.0.14393.9060

Remediation & Mitigation

0/6

Do now

0/1

HARDENINGRestrict network access to WSUS server to only authorized client computers and administrators; block inbound traffic from untrusted networks

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

Windows Server 2016

HOTFIXUpdate Windows Server 2016 to Build 10.0.14393.9060 or later

Windows Server 2019

HOTFIXUpdate Windows Server 2019 to Build 10.0.17763.8644 or later

Windows Server 2022

HOTFIXUpdate Windows Server 2022 to Build 10.0.20348.5020 or later

Windows Server 2025

HOTFIXUpdate Windows Server 2025 to Build 10.0.26100.32690 or later

Long-term hardening

0/1

HARDENINGMonitor WSUS logs for suspicious update requests or tampering attempts

CVEs (1)

CVE-2026-26154

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d0ddc72e-eb82-4190-9ccf-875bf8f71825

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.