Description
Improper input validation in Windows Server Update Service allows an unauthorized attacker to perform tampering over a network.
Published: 2026-04-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized WSUS Tampering
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in incorrect input validation within the Windows Server Update Service. An unauthorized attacker who can reach the service over a network may send specially crafted requests that allow tampering with the service’s behavior. The specific effects are limited to the integrity and operation of the update distribution system, as the attacker can modify WSUS state or configuration through the service.

Affected Systems

Affected are Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2025, and 23H2, including both standard and Server Core installations. These versions are listed in the CNA affected‑products list and cover all 64‑bit editions of the operating system.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while no EPSS data is available and the vulnerability is not listed in the KEV catalog, suggesting no widespread exploitation yet. Because the flaw is exploitable over the network and requires no authentication, any host with WSUS enabled and exposed can be targeted. This poses a significant risk to the integrity and availability of the update infrastructure in affected environments.

Generated by OpenCVE AI on April 14, 2026 at 20:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Microsoft security update for this vulnerability from the Microsoft Security Update Guide or Update Catalog.
  • Verify the patch has been installed by reviewing the WSUS service version or the Windows Update history.
  • Restrict external access to the WSUS server using firewall rules or network segmentation, allowing only trusted administrators to communicate with it.

Generated by OpenCVE AI on April 14, 2026 at 20:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows Server 2012 (server Core Installation)
Microsoft windows Server 2012 R2
Microsoft windows Server 2012 R2 (server Core Installation)
Microsoft windows Server 2016 (server Core Installation)
Microsoft windows Server 2019 (server Core Installation)
Microsoft windows Server 2022, 23h2 Edition (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)
Vendors & Products Microsoft windows Server 2012 (server Core Installation)
Microsoft windows Server 2012 R2
Microsoft windows Server 2012 R2 (server Core Installation)
Microsoft windows Server 2016 (server Core Installation)
Microsoft windows Server 2019 (server Core Installation)
Microsoft windows Server 2022, 23h2 Edition (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper input validation in Windows Server Update Service allows an unauthorized attacker to perform tampering over a network.
Title Windows Server Update Service (WSUS) Tampering Vulnerability
First Time appeared Microsoft
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
Weaknesses CWE-20
CPEs cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows Server 2012 Windows Server 2012 (server Core Installation) Windows Server 2012 R2 Windows Server 2012 R2 Windows Server 2012 R2 (server Core Installation) Windows Server 2016 Windows Server 2016 (server Core Installation) Windows Server 2019 Windows Server 2019 (server Core Installation) Windows Server 2022 Windows Server 2022, 23h2 Edition (server Core Installation) Windows Server 2025 Windows Server 2025 (server Core Installation) Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-17T16:11:54.252Z

Reserved: 2026-02-11T16:24:51.135Z

Link: CVE-2026-26154

cve-icon Vulnrichment

Updated: 2026-04-14T17:59:16.877Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T18:16:46.950

Modified: 2026-04-17T15:10:35.607

Link: CVE-2026-26154

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:15:06Z

Weaknesses