CP
cyberpings
VulnerabilitiesCRITICAL

Windows 11 & Server 2025 - Microsoft Blocks RCE Vulnerability

CSCyber Security News
CVE-2026-0386Windows Deployment ServicesMicrosoftRemote Code Execution
🎯

Basically, Microsoft found a serious flaw that lets hackers take control of computers during setup.

Quick Summary

Microsoft is disabling hands-free deployment in Windows 11 and Server 2025 due to a critical RCE vulnerability. This flaw allows attackers to execute arbitrary code, posing serious risks. Administrators must act quickly to secure their systems before the April deadline.

The Flaw

Microsoft has uncovered a critical remote code execution (RCE) vulnerability in Windows Deployment Services (WDS), tracked as CVE-2026-0386. This vulnerability arises from improper access control, allowing attackers on the same network to intercept sensitive configuration files. Specifically, the issue lies in how the Unattend.xml file is transmitted over an unauthenticated channel, making it vulnerable to interception. This flaw could enable attackers to execute arbitrary code during OS deployments, potentially leading to SYSTEM-level privileges and lateral movement across networks.

The vulnerability affects various versions of Windows Server, including Server 2008 through Server 2025. Security researchers emphasize that a successful exploit could allow attackers to not only steal embedded credentials but also inject malicious code. This poses a significant risk to enterprise environments, as it could compromise the integrity of OS deployment images, representing a supply chain-level risk.

Two-Phase Hardening Timeline

To address this vulnerability, Microsoft has initiated a two-phase plan. In Phase 1, which began on January 13, 2026, the hands-free deployment feature remains operational but can be disabled by administrators. Microsoft introduced new Event Log alerts and registry key controls to enforce secure behavior. Administrators are encouraged to set AllowHandsFreeFunctionality = 0 in the registry to mitigate risks.

Phase 2 will commence in April 2026, when the hands-free deployment feature will be entirely disabled by default. Administrators who have not adjusted their registry settings will find this feature blocked post-April security update. For those who require the feature temporarily, it can be re-enabled, but Microsoft warns this should only be a short-term solution due to security concerns.

What You Should Do

Organizations using Windows Deployment Services must take immediate action to safeguard their systems. Here are some recommended steps:

  • Review all WDS configurations for Unattend.xml usage.
  • Apply the latest Windows security updates released after January 13, 2026.
  • Set AllowHandsFreeFunctionality = 0 to enforce secure behavior before April 2026.
  • Monitor Event Viewer for any warnings regarding insecure access to Unattend.xml.
  • Consider migrating to alternative deployment methods like Microsoft Intune or Windows Autopilot, which are not affected by this vulnerability.

Acting promptly is crucial to prevent disruption in deployment processes and to enhance security across enterprise environments. Microsoft has provided detailed guidance in their KB article 5074952 for impacted organizations.

Conclusion

The discovery of CVE-2026-0386 highlights the importance of robust security measures in deployment services. As attackers become more sophisticated, organizations must stay vigilant and proactive in addressing vulnerabilities. Microsoft’s phased approach to disabling the hands-free deployment feature is a critical step in mitigating the risks associated with this flaw. Administrators are urged to implement the recommended actions to protect their systems effectively.

🔒 Pro insight: The exploitation of CVE-2026-0386 could lead to widespread compromise in enterprise environments, necessitating immediate remediation efforts.

Original article from

Cyber Security News · Guru Baran

Read Full Article

Share

Related Pings

HIGHVulnerabilities

Vulnerabilities - Microsoft Removes Samsung App Causing Issues

Microsoft has removed the Samsung Galaxy Connect app from its Store due to critical access issues on Windows 11. Users are unable to access their C: drive, affecting productivity. Microsoft and Samsung are working on a fix, but recovery options are limited for impacted devices.

BleepingComputer·
HIGHVulnerabilities

AWS Bedrock Vulnerability - DNS Exfiltration Risk Exposed

A serious vulnerability in AWS Bedrock's Code Interpreter allows data exfiltration via DNS queries. This affects cloud security for many organizations. Immediate action is needed to mitigate risks.

Infosecurity Magazine·
CRITICALVulnerabilities

Linux AppArmor Vulnerabilities - Critical Flaws Exposed

Critical vulnerabilities in Linux AppArmor threaten over 12 million enterprise systems. Unprivileged attackers can exploit these flaws to gain root access and crash systems. Immediate patching is essential to mitigate risks.

CSO Online·
HIGHVulnerabilities

AppArmor Vulnerabilities - Unprivileged Users Gain Root Access

Nine vulnerabilities in AppArmor could allow unprivileged users to gain root access. This affects millions of Linux systems, making immediate patching essential for security. Don't wait—secure your systems now!

Security Affairs·
HIGHVulnerabilities

Google Looker Studio Vulnerabilities - Data Exfiltration Risk

A set of vulnerabilities in Google Looker Studio, named 'LeakyLooker', allowed data exfiltration and SQL execution without user consent. Google has patched these issues, but users should audit their access.

Cyber Security News·
HIGHVulnerabilities

Smart Factories - Uncovering Cybersecurity Vulnerabilities

Smart factories are facing serious cybersecurity vulnerabilities, particularly from unmanaged IoT devices and outdated legacy systems. Human error is a major risk factor that can lead to significant operational disruptions. Companies must prioritize security training and device management to mitigate these threats effectively.

Help Net Security·