Windows Active Directory Remote Code Execution Vulnerability
Plan PatchCVSS 8CVE-2026-33826Apr 14, 2026
Microsoft
IT in OT - Windows Server and Active Directory are widely deployed in OT environments
Attack path
Attack VectorAdjacent
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Improper input validation in Windows Active Directory allows an authorized attacker to execute arbitrary code over an adjacent network. The vulnerability affects multiple versions of Windows Server (2016, 2019, 2022, 2025). Exploitation requires valid credentials and access to the adjacent network segment where the domain controller resides.
What this means
What could happen
An attacker with valid domain credentials on your network could execute commands on your Active Directory servers, potentially compromising user accounts, domain policies, and any systems that rely on AD authentication. This could disrupt authentication services across your entire utility infrastructure.
Who's at risk
Water authorities and utilities with Windows Server domain controllers are affected. This includes any organization using Windows Active Directory for authentication of IT systems, SCADA networks, or administrative workstations. All versions of Windows Server 2016, 2019, 2022, and 2025 are vulnerable until patched.
How it could be exploited
An attacker with valid AD credentials connects to a vulnerable domain controller over the network and sends specially crafted input to trigger improper validation in Active Directory. This allows the attacker to execute arbitrary commands with the privileges of the AD service, potentially gaining full control of the domain controller and all systems that trust it.
Prerequisites
- Valid Active Directory user credentials
- Network access to domain controller (same network segment or routable)
- Access to Windows Server 2016, 2019, 2022, or 2025 domain controller
Low complexity exploitationAuthentication required but using standard AD credentialsAffects critical infrastructure authentication (Active Directory)Adjacent network access required
Exploitability
Unlikely to be exploited — EPSS score 0.4%
Affected products (9)
9 with fix
ProductAffected VersionsFix Status
Remediation & Mitigation
0/3
Do now
0/1HARDENINGRestrict network access to domain controllers by configuring firewall rules to allow only authorized administrative systems and servers that require AD authentication. Block unnecessary protocols and limit the networks that can initiate connections to the domain controller
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
Windows Server 2019
HOTFIXApply Microsoft's April 2026 security updates to all domain controllers: Windows Server 2016 (Build 10.0.14393.9060 or later), Windows Server 2019 (Build 10.0.17763.8644 or later), Windows Server 2022 (Build 10.0.20348.5020 or later), and Windows Server 2025 (Build 10.0.26100.32690 or later)
Long-term hardening
0/1HARDENINGReview and enforce strong password policies for all domain accounts, particularly service accounts and administrative accounts that could be compromised and used to exploit this vulnerability
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3c1c6dce-6b00-4ff1-bd65-cbe9d0518d3aGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.