CVE-2026-50365: Patch Windows RPC Privilege Escalation

Microsoft has patched CVE-2026-50365, an Important-rated elevation-of-privilege vulnerability in the Windows Remote Access Management service/API RPC server that could let an unauthenticated attacker gain elevated privileges from an adjacent network. The fix arrived with the July 14, 2026 security updates and applies across Windows 10, Windows 11, and Windows Server installations dating back to Server 2012.
Detailed in Microsoft’s Security Update Guide, the flaw stems from improper authentication in a Windows Remote Procedure Call API. Microsoft assigned it a CVSS 3.1 base score of 8.0, while the National Vulnerability Database identifies the underlying weakness as CWE-287, Improper Authentication.
CVE-2026-50365 was not publicly disclosed or known to be exploited when Microsoft released the patch. That keeps it out of the zero-day category, but its lack of an authentication prerequisite and potential impact on confidentiality, integrity, and availability make it relevant to administrators responsible for remotely managed or broadly connected Windows systems.

Cybersecurity dashboard showing a vulnerable remote gateway patched across corporate networks and data centers.Adjacent Access Narrows—but Does Not Remove—the Risk​

The CVSS vector is AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. In practical terms, an attack requires adjacent-network access, has low attack complexity, requires no existing privileges, and depends on user interaction.
Adjacent network is an important limitation. Microsoft is not describing a vulnerability that any attacker can necessarily exploit directly across the public internet. The attacker must be able to reach the vulnerable RPC service from a logically or physically neighboring network environment, such as the same local segment, a shared wireless network, a connected VPN, or another network position that exposes the relevant RPC path.
That distinction matters for prioritization, but it should not become an excuse to defer deployment indefinitely. Attackers who have compromised one workstation frequently use accessible management protocols and Windows services to move laterally. A vulnerability that is difficult to reach from outside an organization may become considerably more useful once an attacker has entered the network through phishing, stolen credentials, an exposed appliance, or another compromised endpoint.
Microsoft’s vector also records user interaction as required, although the public advisory does not provide enough technical detail to establish exactly what the target must do. Administrators should not assume this means a conventional malicious attachment or a conspicuous security prompt. Until Microsoft or an independent researcher documents the attack sequence, the safest interpretation is simply that exploitation cannot be completed entirely without an action by another user.
Low attack complexity and no privilege requirement remain the more concerning properties. An attacker in the necessary network position would not first need a valid Windows account or administrative token to begin exploiting the authentication failure.

A Successful Attack Carries Full-Impact Metrics​

Although Microsoft classifies CVE-2026-50365 as Important rather than Critical, the CVSS impact metrics are high for confidentiality, integrity, and availability. That scoring indicates that successful exploitation could give an attacker substantial control over the affected security context rather than granting only a narrow permission or exposing a small amount of information.
The public CVE description says an unauthorized attacker could elevate privileges, but it does not identify the precise privilege level obtained. Microsoft has also not published a proof of concept, detailed RPC interface information, affected endpoint identifiers, or a root-cause analysis.
That limited disclosure is normal for a newly patched Windows vulnerability, especially where additional technical details could shorten the path to weaponization. It also means defenders should avoid filling the gaps with assumptions. The available evidence confirms an improper-authentication defect with significant potential impact, but it does not yet establish a reliable exploitation chain or indicate that widespread scanning can detect vulnerable RPC behavior directly.
The National Vulnerability Database marked the entry as awaiting enrichment shortly after publication. CISA’s initial SSVC data recorded no known exploitation, assessed the vulnerability as not readily automatable, and treated its potential technical impact as total. Those fields support a measured response: deploy the update promptly, but do not treat the advisory as evidence of an ongoing internet-wide attack campaign.
Microsoft’s temporal scoring also reflects confirmed vulnerability information and an official remediation. The report confidence component does not estimate whether administrators will be attacked; it describes confidence that the vulnerability and its documented technical characteristics are real. Because Microsoft acknowledged the flaw and released corrected Windows builds, its existence is confirmed even though the company has withheld most exploit-development details.

The Affected List Reaches Across the Windows Estate​

CVE-2026-50365 affects both desktop and server releases, including Server Core installations. Microsoft’s published version boundaries show that systems below the following corrected builds remain affected:
  • Windows 10 version 1607 and Windows Server 2016 require build 14393.9339 or later.
  • Windows 10 version 1809 and Windows Server 2019 require build 17763.9020 or later.
  • Windows 10 versions 21H2 and 22H2 require builds 19044.7548 and 19045.7548, respectively.
  • Windows 11 versions 24H2 and 25H2 require build 26100.8875 or 26200.8875.
  • Windows 11 version 26H1 requires build 28000.2525 or later.
  • Windows Server 2012 requires build 9200.26226, while Server 2012 R2 requires build 9600.23291.
  • Windows Server 2022 requires build 20348.5386 or later.
  • Windows Server 2025 requires build 26100.33158 or later.
The inclusion of Windows Server 2012 and Server 2012 R2 is operationally significant because those platforms are in Extended Security Updates rather than ordinary support. Organizations still running them need the appropriate ESU entitlement and update channel; seeing a corrected build in vulnerability data does not mean every legacy server will receive it automatically.
Windows 10 versions 21H2 and 22H2 also require attention to servicing eligibility. Many editions have passed their standard support milestones, so administrators should verify that the machines are enrolled in an applicable extended update program rather than assuming Windows Update will close the gap.
The broad product range suggests the vulnerable behavior sits in long-lived Windows RPC and remote-management functionality rather than a recently introduced Windows 11 feature. That makes inventory accuracy especially important. Older servers, isolated management appliances, and systems maintained outside the primary endpoint-management platform are precisely the assets most likely to remain below the corrected build.

Build Verification Beats a Green Dashboard​

The immediate remediation is to install the July 14 Windows cumulative security update appropriate for each supported operating-system release. Because Windows cumulative updates supersede earlier fixes, later cumulative updates should also contain the correction unless Microsoft documents a servicing exception.
Administrators should verify the resulting OS build rather than relying solely on an update deployment status of “successful.” A machine can report successful installation and still require a restart, fail during the reboot phase, or remain on an unexpected servicing branch.
Windows 11 users can check the installed build by running winver or opening Settings, selecting System, and then About. Enterprise teams can query build information through PowerShell, Windows Management Instrumentation, Microsoft Intune, Configuration Manager, Azure Update Manager, or their existing vulnerability-management platform.
RPC filtering and network segmentation can reduce exposure, particularly between user VLANs, server networks, VPN address pools, and privileged administration segments. Those controls should be treated as defense in depth, not substitutes for the update. Windows RPC is deeply integrated into management and system operations, and indiscriminate port blocking can break legitimate services without proving that the vulnerable interface is unreachable.
Monitoring should focus on unusual RPC activity across network boundaries, unexpected remote-management traffic from user devices, and attempts to pivot from unmanaged or low-trust network segments. Microsoft has not provided exploit-specific indicators of compromise for CVE-2026-50365, so defenders currently have no authoritative event ID, process pattern, or network signature that conclusively identifies an attack.
For most environments, patching exposed servers and remotely managed endpoints first is the practical order of operations. The next meaningful change will come if Microsoft revises its exploitability assessment, CISA observes exploitation, or researchers disclose the affected RPC interface. Until then, reaching the corrected build is the clearest way to remove CVE-2026-50365 from the lateral-movement paths available inside a Windows network.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top