ThreatLevelBeta
Planned Fix

CVE-2026-33826

Microsoft Windows Active Directory RCE via RPC
Loading...

Summary

Windows Active Directory on Windows Server domain controllers lets an authenticated attacker send a crafted RPC call that bypasses input validation and runs code on the RPC host with service-level permissions. The issue requires a low-privilege account in the same restricted AD domain and no user interaction, so it is most dangerous in organizations with internally reachable domain infrastructure. Successful exploitation can lead to arbitrary code execution on the affected server.

Why Planned Fix?

3/6
Authentication required
Internal deployment
No user interaction needed
Exploitable in default configuration
No active exploitation or PoC
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
Yes
PoC / Exploit
No
Impact

Execute arbitrary code on the affected server with RPC service permissions

RCE (Remote Code Execution)
Exploitation Requirements
  • Authentication required
Exploitation Process

An attacker first needs authenticated access in the target Active Directory domain. They then send a specially crafted RPC call to the vulnerable RPC host that processes Active Directory requests. If the malformed input passes into the flawed validation path, the server executes attacker-controlled code with the permissions of the RPC service, which can be confirmed by command execution or other attacker-controlled behavior on the target.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Windows Active DirectoryWindows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025, and Windows Server version 23H2
Description

Microsoft's directory service for Windows domains that centralizes authentication, authorization, and identity management.

Deployment:Typically internal
|
Protocol:RPC
|
Ports:135
Affected ComponentRPC request handling in Windows Active Directory on domain controllers.

RPC request handling in Windows Active Directory on domain controllers.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch
Apply the April 14, 2026 Microsoft security update for your Windows Server release: KB5082063 (Server 2025), KB5082142 (Server 2022 / Azure Stack HCI 22H2), KB5082123 (Server 2019), KB5082198 (Server 2016), KB5082126 (Server 2012 R2), or KB5082060 (Server version 23H2).

Apply the April 14, 2026 Microsoft security update for your Windows Server release: KB5082063 (Server 2025), KB5082142 (Server 2022 / Azure Stack HCI 22H2), KB5082123 (Server 2019), KB5082198 (Server 2016), KB5082126 (Server 2012 R2), or KB5082060 (Server version 23H2).

msrc.microsoft.com
Update

Not available

Threat Intelligence
EPSS Score0.4%

Probability of exploitation in the next 30 days

EPSS Percentile59%

Worse than 59% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network.

CVSS Base Score

8.0
High

CVSS Vector (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-20 Improper Input Validation
|
NVD:CVE-2026-33826
|
Version From:
|
Version Upto:

Sources

4
SourceArticle
msrc.microsoft.comCVE-2026-33826 Security Update Guide
crowdstrike.comApril 2026 Patch Tuesday Analysis
tenable.comCVE-2026-33826
tenable.comCVE-2026-33826 Plugins

Priority History

Planned FixLoading...

Initial analysis