Windows Active Directory Domain Services Remote Code Execution Vulnerability

Plan PatchCVSS 8.8CVE-2026-45648Jun 9, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A stack-based buffer overflow vulnerability exists in Windows Active Directory Domain Services on Windows Server 2022 and 2025. An authorized attacker can send a specially crafted network message to trigger the buffer overflow and execute arbitrary code with SYSTEM privileges on the domain controller. The vulnerability requires valid domain credentials to exploit and is unlikely to be exploited in the wild.

What this means

What could happen

An attacker with valid domain credentials could run arbitrary code on your domain controller, potentially compromising all systems connected to your Active Directory infrastructure and disrupting authentication and authorization for your entire network.

Who's at risk

Windows Server administrators running Active Directory Domain Services on Windows Server 2022 or 2025 are affected. This includes all organizations using on-premises Active Directory for authentication and authorization, particularly those in critical infrastructure sectors like utilities and water authorities.

How it could be exploited

An attacker must first obtain valid domain user credentials (through phishing, credential theft, or insider access). They then connect to the vulnerable Active Directory Domain Services port over the network and send a specially crafted message that triggers a stack buffer overflow, allowing code execution with SYSTEM privileges on the domain controller.

Prerequisites

Valid domain user credentials
Network access to Active Directory Domain Services (typically port 135/RPC or LDAP ports)
Target must be Windows Server 2022 or 2025

Remotely exploitableRequires valid credentialsHigh CVSS score (8.8)Affects domain controller (critical infrastructure)Low attack complexity

Exploitability

Some exploitation risk — EPSS score 1.1%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Windows Server 2022All versionsBuild 10.0.20348.5256

Windows Server 2022 (Server Core installation)All versionsBuild 10.0.20348.5256

Windows Server 2025 (Server Core installation)All versionsBuild 10.0.26100.32995

Windows Server 2025All versionsBuild 10.0.26100.32995

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to domain controller RPC and LDAP ports to authorized administrative systems and approved domain member computers only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Windows Server 2022

HOTFIXApply Microsoft June 2026 security update to Windows Server 2022 (Build 10.0.20348.5256 or later)

Windows Server 2025

HOTFIXApply Microsoft June 2026 security update to Windows Server 2025 (Build 10.0.26100.32995 or later)

Long-term hardening

0/1

HARDENINGEnforce strong credential policies and monitor for unusual domain account logins or privilege escalation attempts

CVEs (1)

CVE-2026-45648

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4037fa58-c247-4a9e-92d2-647ce6469a92

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.