CVE-2026-40400: Patch Windows PowerShell RCE via July 14 Updates

Microsoft has patched CVE-2026-40400, a high-severity Windows PowerShell remote code execution vulnerability affecting supported Windows 10, Windows 11, and Windows Server releases. Administrators should deploy the July 14, 2026 cumulative security updates, particularly on systems where users or automation processes handle files and paths obtained from network locations.
Detailed in Microsoft’s Security Update Guide and published through the National Vulnerability Database, the flaw carries a CVSS 3.1 score of 8.0. Microsoft describes it as a relative path traversal weakness that allows an authorized attacker to execute code over a network.
The vulnerability is classified as Important rather than Critical because exploitation requires low-level privileges and user interaction. It is not an unauthenticated, self-propagating PowerShell compromise, but a successful attack could still produce a complete loss of confidentiality, integrity, and availability within the affected security context.

Cybersecurity dashboard highlighting a path traversal vulnerability and a 78% complete security update.A Network Attack With Important Preconditions​

The CVSS vector for CVE-2026-40400 is AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. In practical terms, an attacker can deliver the attack over a network, exploitation is not considered technically complex, and successful code execution could have a high impact on data and system availability.
Two requirements materially constrain the threat. The attacker must already have low privileges, and another user must perform an action before exploitation succeeds. CISA’s initial Stakeholder-Specific Vulnerability Categorization data likewise marks the issue as not automatable, with no exploitation observed as of July 14.
That distinction matters because remote code execution can suggest a server waiting for arbitrary commands from the internet. Microsoft’s scoring does not describe that scenario here. CVE-2026-40400 is better understood as a network-deliverable attack chain in which PowerShell mishandles a relative path after the attacker has obtained some authorized access and induced user interaction.
Microsoft has not publicly documented the complete exploitation sequence. The available description does not specify whether the trigger is a script, module, configuration artifact, archive, shortcut, or another object processed through PowerShell. Administrators should therefore avoid building narrow detection rules around an assumed file format until Microsoft or the vulnerability’s reporter publishes further technical details.
The underlying weakness is CWE-23, Relative Path Traversal. This class of bug occurs when software fails to constrain relative path components such as ..\, potentially allowing a reference to escape its expected directory and reach attacker-controlled or otherwise unintended content.
For PowerShell, that can be especially consequential. PowerShell is not merely an interactive shell: it is a standard management interface used by Windows administration tools, scheduled tasks, deployment systems, remote-management workflows, and enterprise automation. Code that runs through it can inherit access to files, credentials, network resources, and management interfaces available to the invoking account.

The Affected List Spans Clients and Servers​

Microsoft’s submitted CVE record covers a broad range of Windows releases. The affected client platforms include Windows 10 versions 1607, 1809, 21H2, and 22H2, along with Windows 11 versions 24H2, 25H2, and 26H1.
The server list stretches from Windows Server 2012 through Windows Server 2025. Server Core installations are explicitly included for Windows Server 2012, 2012 R2, 2016, 2019, and 2025, removing any assumption that the absence of the full desktop experience eliminates exposure.
The corrected build levels recorded by Microsoft include:
  • Windows 10 version 1607 and Windows Server 2016 move to build 14393.9339.
  • Windows 10 version 1809 and Windows Server 2019 move to build 17763.9020 through KB5099538.
  • Windows 10 versions 21H2 and 22H2 move to builds 19044.7548 and 19045.7548.
  • Windows 11 version 24H2 moves to build 26100.8875.
  • Windows 11 version 26H1 moves to build 28000.2525.
  • Windows Server 2022 moves to build 20348.5386 through KB5099540.
  • Windows Server 2025 moves to build 26100.33158.
Windows 11 versions 24H2 and 25H2 receive July servicing through KB5101650, with Microsoft’s support documentation listing OS builds in the 26100.8875 and 26200.8870 range. Administrators should use the applicable July cumulative update and Microsoft’s release-health information rather than relying solely on version thresholds copied from early CVE feeds, which may contain formatting inconsistencies while records are being enriched.
Older Windows 10 versions listed in the record generally represent LTSC, IoT, or Extended Security Updates deployments rather than ordinary consumer installations. A Windows 10 22H2 device is only protected if it remains eligible for security servicing and has actually received the July package; reaching the end of mainstream support does not make an unpatched installation immune.
The National Vulnerability Database still marked CVE-2026-40400 as undergoing enrichment shortly after publication. Its affected-product information and Microsoft-supplied CVSS score were available, but NIST had not yet added an independent CVSS assessment or full CPE applicability analysis.

PowerShell’s Reach Raises the Operational Stakes​

CVE-2026-40400 was one of 145 remote code execution vulnerabilities addressed during Microsoft’s unusually large July 2026 Patch Tuesday release. BleepingComputer counted 570 Microsoft vulnerabilities fixed that month, including 59 rated Critical, while listing the PowerShell issue as Important.
That crowded release creates a prioritization problem for enterprise teams. CVE-2026-40400 was not one of the July zero-days reported as actively exploited, but its low attack complexity, network attack vector, and potential for total technical impact make it a poor candidate for prolonged deferral.
Exposure will vary considerably by system role. A workstation used only for standard applications presents a different risk from a jump server, build agent, administrative workstation, or automation host that regularly consumes scripts and packages from shared repositories.
Privileged Access Workstations deserve particular attention even though the vulnerability nominally requires only low privileges. The CVSS scope is unchanged, meaning exploitation does not automatically cross a security boundary, but malicious code running in a valuable PowerShell session can still use whatever authority that session legitimately possesses. An administrator launching PowerShell with elevated credentials could therefore turn a constrained initial attack into a much more serious incident.
Organizations should also review processes that resolve paths against current working directories or invoke scripts from SMB shares, WebDAV locations, extracted archives, source checkouts, and user-writable directories. These are sensible review targets for a path-traversal issue, not confirmed exploit mechanisms for CVE-2026-40400.
Security teams can use existing controls to reduce opportunities while updates move through testing. Application control through Windows Defender Application Control or AppLocker can restrict unauthorized scripts and binaries, while PowerShell script-block logging, module logging, and process-creation telemetry can improve visibility. Microsoft Defender for Endpoint and other EDR platforms should be monitored for PowerShell processes launching unexpected executables or accessing unusual network paths.
These controls are layers, not substitutes for the security update. Execution-policy settings alone are not a dependable security boundary and should not be treated as mitigation for a flaw in PowerShell’s path handling.

Patch the Operating System, Then Verify the Build​

The fix is delivered through Windows servicing rather than as a separate PowerShell package. Updating PowerShell 7 from its GitHub or Microsoft Store distribution should not be assumed to remediate a vulnerability identified against the Windows PowerShell component included with the operating system.
Administrators should first identify devices running the affected Windows builds, approve the applicable July 14 cumulative update in Windows Update for Business, WSUS, Microsoft Configuration Manager, Azure Update Manager, or their chosen patch platform, and then verify installation after restart. Server Core and management servers should remain in scope even if they rarely host interactive PowerShell sessions.
Pilot testing remains appropriate because the July cumulative updates contain many changes beyond CVE-2026-40400. Microsoft’s July servicing documentation includes security hardening and compatibility changes in areas such as networking, Secure Boot, NTLM auditing, Remote Desktop publisher certificates, and OLE Automation, depending on the Windows release.
The immediate checkpoint is straightforward: affected systems should report the July 2026 cumulative update and a corrected OS build at or above Microsoft’s published level. Until that verification is complete, any Windows machine that processes network-sourced content through Windows PowerShell should be treated as exposed to CVE-2026-40400.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: tomshardware.com
 

Back
Top