CVE-2026-49180 affects the Windows Universal Plug and Play library,
Detailed in the Microsoft Security Response Center’s Security Update Guide, the vulnerability spans supported Windows 11 releases, several Windows 10 editions, and Windows Server versions dating back to Windows Server 2012. Administrators should verify cumulative-update deployment rather than assuming that disabling network discovery or blocking UPnP traffic fully addresses the issue: Microsoft classifies the attack vector as local, not network-based.
The public record remains thin, and one important inconsistency deserves attention. Microsoft describes CVE-2026-49180 as an information-disclosure vulnerability, but its published CVSS vector indicates no confidentiality impact and a high integrity impact. Until Microsoft revises or expands the advisory, defenders should treat the technical effect as incompletely documented.
Universal Plug and Play is normally associated with device discovery and automatic configuration on local networks. Windows applications and services can use UPnP to identify compatible devices and interact with network equipment without requiring users to enter addresses or manually configure connections.
CVE-2026-49180 is not described as a remotely exploitable UPnP protocol weakness, however. The National Vulnerability Database’s Microsoft-supplied description says an authorized attacker must exploit the problem locally, with low privileges and no user interaction.
The underlying weakness is categorized as CWE-59, Improper Link Resolution Before File Access, commonly called link following. This class of vulnerability occurs when software accesses a path without safely resolving symbolic links, junctions, mount points, or similar redirection mechanisms first.
An attacker who can create or manipulate such a link may redirect a privileged component toward an unintended file or location. Depending on how that component subsequently opens, reads, writes, or replaces the target, the practical result can range from information exposure to unauthorized modification.
That distinction matters here because Microsoft’s CVSS vector is
That vector does not neatly match the advisory’s “Information Disclosure” title or its statement that an attacker could disclose information. The most defensible reading is that Microsoft has confirmed the vulnerable link-resolution behavior, but the public impact data is not yet internally consistent.
Organizations should avoid building narrow detections around a presumed read-only data leak until MSRC clarifies the discrepancy. Unsafe link handling can be highly dependent on the calling process, its token, the target directory, and what operation
The published fixed-build boundaries are:
For mainstream Windows 11 24H2 and 25H2 devices, the July security fix arrives through KB5101650, taking systems to builds 26100.8875 and 26200.8875 respectively. The update is a mandatory cumulative security release distributed through Windows Update, Windows Update for Business, WSUS, and the Microsoft Update Catalog.
Windows 11 26H1 presents a less conventional case. Microsoft’s affected-version record places the security boundary at build 28000.2269, which was already delivered through KB5095051 in June 2026. Devices on that build or later therefore meet the threshold published for CVE-2026-49180 even though the CVE itself was disclosed in July.
Administrators should compare complete OS build numbers, not merely Windows marketing versions. A machine reporting Windows 11 24H2 can still be exposed if its revision remains below 26100.8875, while a properly serviced system on the same feature release has crossed Microsoft’s fixed-build boundary.
An attacker must already possess authorized local access, represented by
Low attack complexity and the absence of a user-interaction requirement make the bug more relevant after an initial compromise. Once code is running under a low-privilege identity, exploitation reportedly does not require a race against unpredictable conditions or another user opening a crafted file.
Microsoft and CISA’s initial public data report no known exploitation. CISA’s Stakeholder-Specific Vulnerability Categorization assessment also marks the issue as not readily automatable and assigns it partial technical impact, reinforcing that this is not currently presented as a wormable or mass-exploitation route.
Those qualifiers reduce urgency compared with a critical remote-code-execution flaw, but they do not make the patch optional. Local vulnerabilities are routinely combined with phishing, credential theft, browser exploits, malicious installers, and exposed remote-access accounts to deepen an intrusion after the attacker establishes a foothold.
The appropriate response is to deploy the applicable cumulative security update and confirm the resulting build. IT teams should pay particular attention to devices that are powered off during maintenance windows, systems held behind safeguard policies, and older Windows Server installations receiving updates through extended support arrangements.
Endpoint detection teams can also watch for suspicious creation and use of symbolic links or NTFS junctions around paths accessed by UPnP-related processes. Such telemetry is not a substitute for patching, and without a public proof of concept it may generate substantial noise, but it can assist investigations where a low-privilege account begins manipulating reparse points unexpectedly.
NIST still labels the CVE as undergoing enrichment, while Microsoft has not publicly supplied a detailed exploit sequence, affected function, proof of concept, or explanation for the CVSS impact mismatch. The immediate administrative milestone is therefore concrete: Windows 11 24H2 and 25H2 systems should reach builds 26100.8875 and 26200.8875, and every other listed Windows branch should meet or exceed Microsoft’s corresponding fixed-build threshold.
upnp.dll, and can allow a locally authenticated attacker to expose or improperly affect protected information through unsafe link handling. Microsoft disclosed the flaw on July 14, 2026, alongside its monthly security updates, assigning it a CVSS 3.1 base score of 5.5 and a Medium severity rating.Detailed in the Microsoft Security Response Center’s Security Update Guide, the vulnerability spans supported Windows 11 releases, several Windows 10 editions, and Windows Server versions dating back to Windows Server 2012. Administrators should verify cumulative-update deployment rather than assuming that disabling network discovery or blocking UPnP traffic fully addresses the issue: Microsoft classifies the attack vector as local, not network-based.
The public record remains thin, and one important inconsistency deserves attention. Microsoft describes CVE-2026-49180 as an information-disclosure vulnerability, but its published CVSS vector indicates no confidentiality impact and a high integrity impact. Until Microsoft revises or expands the advisory, defenders should treat the technical effect as incompletely documented.
A Local Flaw Inside a Network-Oriented Component
Universal Plug and Play is normally associated with device discovery and automatic configuration on local networks. Windows applications and services can use UPnP to identify compatible devices and interact with network equipment without requiring users to enter addresses or manually configure connections.CVE-2026-49180 is not described as a remotely exploitable UPnP protocol weakness, however. The National Vulnerability Database’s Microsoft-supplied description says an authorized attacker must exploit the problem locally, with low privileges and no user interaction.
The underlying weakness is categorized as CWE-59, Improper Link Resolution Before File Access, commonly called link following. This class of vulnerability occurs when software accesses a path without safely resolving symbolic links, junctions, mount points, or similar redirection mechanisms first.
An attacker who can create or manipulate such a link may redirect a privileged component toward an unintended file or location. Depending on how that component subsequently opens, reads, writes, or replaces the target, the practical result can range from information exposure to unauthorized modification.
That distinction matters here because Microsoft’s CVSS vector is
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. It describes a local attack requiring low privileges, with low complexity, no victim interaction, no security-scope change, no confidentiality impact, high integrity impact, and no availability impact.That vector does not neatly match the advisory’s “Information Disclosure” title or its statement that an attacker could disclose information. The most defensible reading is that Microsoft has confirmed the vulnerable link-resolution behavior, but the public impact data is not yet internally consistent.
Organizations should avoid building narrow detections around a presumed read-only data leak until MSRC clarifies the discrepancy. Unsafe link handling can be highly dependent on the calling process, its token, the target directory, and what operation
upnp.dll performs after resolving the attacker-controlled path.The Affected Windows Footprint Is Broad
Microsoft’s CVE record lists client and server editions across multiple servicing generations. The affected range includes Windows 11 versions 24H2, 25H2, and 26H1, as well as Windows 10 versions still covered through specialized or extended servicing channels.The published fixed-build boundaries are:
- Windows 11 24H2 is affected below build 26100.8875.
- Windows 11 25H2 is affected below build 26200.8875.
- Windows 11 26H1 is affected below build 28000.2269.
- Windows 10 22H2 is affected below build 19045.7548.
- Windows 10 21H2 is affected below build 19044.7548.
- Windows 10 version 1809 and Windows Server 2019 are affected below build 17763.9020.
- Windows 10 version 1607 and Windows Server 2016 are affected below build 14393.9339.
- Windows Server 2022 is affected below build 20348.5386.
- Windows Server 2025 is affected below build 26100.33158.
- Windows Server 2012 is affected below build 9200.26226, while Windows Server 2012 R2 is affected below build 9600.23291.
For mainstream Windows 11 24H2 and 25H2 devices, the July security fix arrives through KB5101650, taking systems to builds 26100.8875 and 26200.8875 respectively. The update is a mandatory cumulative security release distributed through Windows Update, Windows Update for Business, WSUS, and the Microsoft Update Catalog.
Windows 11 26H1 presents a less conventional case. Microsoft’s affected-version record places the security boundary at build 28000.2269, which was already delivered through KB5095051 in June 2026. Devices on that build or later therefore meet the threshold published for CVE-2026-49180 even though the CVE itself was disclosed in July.
Administrators should compare complete OS build numbers, not merely Windows marketing versions. A machine reporting Windows 11 24H2 can still be exposed if its revision remains below 26100.8875, while a properly serviced system on the same feature release has crossed Microsoft’s fixed-build boundary.
Exposure Requires Access, but Not Cooperation
The local attack vector substantially limits drive-by risk. CVE-2026-49180 is not documented as allowing an unauthenticated Internet attacker to send a malicious SSDP packet and retrieve files from a Windows machine.An attacker must already possess authorized local access, represented by
PR:L in the CVSS vector. That could include a compromised standard user account, malicious code executing in a user session, or an operator who has legitimate but restricted access to a shared system.Low attack complexity and the absence of a user-interaction requirement make the bug more relevant after an initial compromise. Once code is running under a low-privilege identity, exploitation reportedly does not require a race against unpredictable conditions or another user opening a crafted file.
Microsoft and CISA’s initial public data report no known exploitation. CISA’s Stakeholder-Specific Vulnerability Categorization assessment also marks the issue as not readily automatable and assigns it partial technical impact, reinforcing that this is not currently presented as a wormable or mass-exploitation route.
Those qualifiers reduce urgency compared with a critical remote-code-execution flaw, but they do not make the patch optional. Local vulnerabilities are routinely combined with phishing, credential theft, browser exploits, malicious installers, and exposed remote-access accounts to deepen an intrusion after the attacker establishes a foothold.
Patch Verification Matters More Than UPnP Workarounds
Microsoft has not published a CVE-specific workaround in the available advisory information. Disabling the UPnP Device Host service or network discovery may reduce unrelated UPnP exposure, but the published attack vector does not establish those changes as a complete mitigation for the vulnerable library behavior.The appropriate response is to deploy the applicable cumulative security update and confirm the resulting build. IT teams should pay particular attention to devices that are powered off during maintenance windows, systems held behind safeguard policies, and older Windows Server installations receiving updates through extended support arrangements.
Endpoint detection teams can also watch for suspicious creation and use of symbolic links or NTFS junctions around paths accessed by UPnP-related processes. Such telemetry is not a substitute for patching, and without a public proof of concept it may generate substantial noise, but it can assist investigations where a low-privilege account begins manipulating reparse points unexpectedly.
NIST still labels the CVE as undergoing enrichment, while Microsoft has not publicly supplied a detailed exploit sequence, affected function, proof of concept, or explanation for the CVSS impact mismatch. The immediate administrative milestone is therefore concrete: Windows 11 24H2 and 25H2 systems should reach builds 26100.8875 and 26200.8875, and every other listed Windows branch should meet or exceed Microsoft’s corresponding fixed-build threshold.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com