Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability

Plan PatchCVSS 7CVE-2026-26174Apr 14, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

A race condition vulnerability in Windows Server Update Service (WSUS) allows a local user with standard privileges to escalate to administrative privileges by exploiting improper synchronization during concurrent WSUS update operations. The vulnerability affects Windows 10 (multiple versions), Windows 11 (multiple versions), Windows Server 2016, 2019, 2022, and 2025 across 32-bit, 64-bit, ARM, and Server Core installations.

What this means

What could happen

A user with local access to a Windows server or workstation can exploit this WSUS race condition to gain administrative privileges, potentially allowing them to install software, modify configurations, or disrupt operations if the server plays a role in process management or monitoring.

Who's at risk

Windows server and workstation administrators managing any Windows 10, Windows 11, Windows Server 2016, 2019, 2022, or 2025 systems. This is particularly relevant for utilities with WSUS-managed IT infrastructure that also supports OT networks or control systems where Windows runs as an HMI (human-machine interface), data historian, or engineering workstation.

How it could be exploited

An attacker with a local user account on a Windows system running WSUS client software can trigger a race condition during WSUS update operations. By timing file access requests carefully, the attacker can escalate privileges from a standard user to administrator without requiring additional credentials or interaction.

Prerequisites

Local user account on the affected Windows system
WSUS client enabled and actively checking for updates
Ability to execute code on the system during a WSUS update cycle

Local exploitation requiredValid user credentials neededWindows Server and desktop operating systems affectedRace condition requires precise timing

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (27)

27 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8644

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8644

Windows Server 2019All versionsBuild 10.0.17763.8644

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8644

Windows Server 2022All versionsBuild 10.0.20348.5020

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply the April 2026 Windows security update to all affected Windows 10, Windows 11, and Windows Server systems

Long-term hardening

0/2

HARDENINGRestrict local user account privileges and audit accounts with administrative rights

HARDENINGReview WSUS configuration to ensure only trusted systems and accounts can initiate update operations

CVEs (1)

CVE-2026-26174

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a160c10e-de4d-4b12-a990-0090ba6edf7e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.