CVE-2026-0386
📋 TL;DR
This vulnerability allows an unauthorized attacker on an adjacent network to execute arbitrary code on Windows systems running vulnerable Windows Deployment Services. It affects organizations using Windows Deployment Services for network-based operating system deployment.
💻 Affected Systems
- Windows Deployment Services
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise leading to domain takeover, lateral movement across the network, and deployment of ransomware or other malware.
Likely Case
Unauthorized code execution on deployment servers, potentially compromising PXE boot infrastructure and allowing attackers to deploy malicious operating system images.
If Mitigated
Limited impact with proper network segmentation and access controls preventing adjacent network access to deployment services.
🎯 Exploit Status
Requires network access to Windows Deployment Services port (typically UDP 67, 68, 4011, TCP 135, 5040).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0386
Restart Required: Yes
Instructions:
1. Apply latest Windows Server security updates from Microsoft Update. 2. Restart affected servers. 3. Verify Windows Deployment Services restarts successfully.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Windows Deployment Services to dedicated VLAN with strict access controls
Disable Unused Services
windowsTemporarily disable Windows Deployment Services if not actively needed
sc config WDSServer start= disabled
net stop WDSServer
🧯 If You Can't Patch
- Implement strict network ACLs allowing only authorized management systems to access Windows Deployment Services ports
- Deploy host-based firewall rules restricting access to Windows Deployment Services to specific IP addresses
🔍 How to Verify
Check if Vulnerable:
Check if Windows Deployment Services role is installed and running: Get-WindowsFeature -Name WDSCheck Version:
wdsutil /get-server /show:configVerify Fix Applied:
Verify Windows Update history contains the relevant security update and Windows Deployment Services version matches patched release📡 Detection & Monitoring
Log Indicators:
- Unauthorized PXE boot requests
- Unexpected TFTP file transfers
- Windows Deployment Services authentication failures
Network Indicators:
- Unusual traffic to UDP port 4011
- TFTP requests from unauthorized IPs
- DHCP option 60 anomalies
SIEM Query:
source="Windows Security" EventID=4625 AND ProcessName="svchost.exe" AND Service="WDSServer"