OTPulse

Windows Hyper-V Remote Code Execution Vulnerability

Plan PatchCVSS 8.2CVE-2026-47652Jun 9, 2026
Microsoft
IT in OT - Windows Server and Active Directory are widely deployed in OT environments
Attack path
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

An out-of-bounds read vulnerability in Windows Hyper-V allows a local administrator to execute arbitrary code with elevated privileges. The vulnerability affects Windows Server 2022, Windows Server 2025, and multiple versions of Windows 11 (23H2, 24H2, 25H2, and 26H1) on both x64 and ARM64 systems. Microsoft has released security updates for all affected versions.

What this means
What could happen
An attacker with local administrative access to a Windows system running Hyper-V could execute arbitrary code with high privileges, potentially compromising the host system and any virtual machines it manages.
Who's at risk
Windows Server administrators running Hyper-V (Server 2022 and 2025) should prioritize this update. Also affects Windows 11 users with Hyper-V enabled (versions 23H2, 24H2, 25H2, and 26H1 on both x64 and ARM64 systems). This is relevant to any organization using Windows-based virtualization for hosting critical workloads or OT network segmentation.
How it could be exploited
An attacker with local administrative credentials on a Windows Server or Windows 11 system can trigger an out-of-bounds memory read in the Hyper-V hypervisor through a malicious request or crafted input, which could be leveraged to execute arbitrary code with system-level privileges.
Prerequisites
  • Local administrative access to the Windows system
  • Hyper-V role/feature must be installed and enabled
  • Ability to interact with Hyper-V APIs or management interfaces
Local administrative privilege requiredAffects virtualization infrastructure (could impact OT network isolation)No active exploit known (yet)
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (12)
12 with fix
ProductAffected VersionsFix Status
Windows Server 2022All versionsBuild 10.0.20348.5256
Windows Server 2022 (Server Core installation)All versionsBuild 10.0.20348.5256
Windows Server 2025 (Server Core installation)All versionsBuild 10.0.26100.32995
Windows 11 Version 25H2 for ARM64-based SystemsAll versionsBuild 10.0.26200.8655
Windows 11 Version 25H2 for x64-based SystemsAll versionsBuild 10.0.26200.8655
Windows 11 Version 23H2 for ARM64-based SystemsAll versionsBuild 10.0.22631.7219
Windows 11 Version 23H2 for x64-based SystemsAll versionsBuild 10.0.22631.7219
Windows 11 Version 24H2 for ARM64-based SystemsAll versionsBuild 10.0.26100.8655
Remediation & Mitigation
0/7
Schedule — requires maintenance window
0/6

Patching may require device reboot — plan for process interruption

Windows Server 2022
HOTFIXApply Microsoft's June 2026 security update to Windows Server 2022 (Build 10.0.20348.5256 or later)
Windows Server 2025
HOTFIXApply Microsoft's June 2026 security update to Windows Server 2025 (Build 10.0.26100.32995 or later)
All products
HOTFIXApply Microsoft's June 2026 security update to Windows 11 Version 23H2 (Build 10.0.22631.7219 or later)
HOTFIXApply Microsoft's June 2026 security update to Windows 11 Version 24H2 (Build 10.0.26100.8655 or later)
HOTFIXApply Microsoft's June 2026 security update to Windows 11 Version 25H2 (Build 10.0.26200.8655 or later)
HOTFIXApply Microsoft's June 2026 security update to Windows 11 Version 26H1 (Build 10.0.28000.2269 or later)
Long-term hardening
0/1
HARDENINGRestrict local administrative access to Hyper-V systems to only authorized personnel and service accounts
View full vendor advisory
API: /api/v1/advisories/55e1269b-6410-49b7-8ebc-76dad163603a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.