CVE-2026-44810: Windows Cryptographic Services Privilege Escalation (CVSS 8.4)
A flaw in Windows Cryptographic Services fails to properly authenticate certain operations, allowing an attacker with local access to bypass security controls and gain elevated system privileges. The vulnerability affects multiple versions of Windows 11 and Windows Server 2022/2025. An attacker with standard user access could exploit this to run code with administrative rights, potentially compromising the entire system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.4 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-287
- Affected products
- 10 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Improper authentication in Windows Cryptographic Services allows an unauthorized attacker to elevate privileges locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-44810 is a privilege escalation vulnerability rooted in improper authentication mechanisms within the Windows Cryptographic Services component (CWE-287). The vulnerability has a CVSS 3.1 score of 8.4 (HIGH), with a local attack vector, low attack complexity, and no privilege or user interaction requirements. The flaw permits an unauthenticated local attacker to escalate privileges to SYSTEM level, achieving full confidentiality, integrity, and availability compromise of the affected host.
Business impact
This vulnerability poses significant operational risk to organizations running affected Windows infrastructure. An insider or local attacker could gain administrative control to install backdoors, exfiltrate sensitive data, modify audit logs, disable security software, or launch lateral movement attacks across the network. Organizations managing hybrid environments with Windows 11 or Server 2022/2025 deployments face potential widespread exposure if unpatched. Recovery from exploitation could involve forensic investigation, credential reset across dependent systems, and possible breach notification obligations.
Affected systems
The vulnerability affects Windows 11 (versions 23H2, 24H2, 25H2, and 26H1) and Windows Server 2022 and Windows Server 2025. Organizations should inventory systems running these operating system versions to prioritize remediation efforts. The broad version range suggests the underlying flaw may have existed across multiple OS release cycles.
Exploitability
The attack requires local access but no special privileges or user interaction, making it practical for insider threats, compromised accounts with standard user permissions, or physical access scenarios. The low attack complexity means the exploit method is straightforward once an attacker gains local system access. However, the vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not yet been formally documented as of the publication date.
Remediation
Patch deployment is the primary remediation path. Verify the availability of security updates from Microsoft addressing this flaw across all affected Windows versions. Test patches in a controlled environment before production rollout given the critical nature of the cryptographic services component. For systems where immediate patching is infeasible, restrict local access through strong access controls, disable unnecessary local accounts, and monitor for suspicious privilege escalation activity.
Patch guidance
Contact Microsoft or review the official Windows security updates released on or after June 9, 2026 for fixes addressing CVE-2026-44810. Verify patch applicability by checking your system version (23H2, 24H2, 25H2, 26H1 for Windows 11; identify your Server 2022/2025 build). Test in a staging environment before deploying to production systems, particularly in environments where cryptographic services are performance-critical. Prioritize server infrastructure given the broader attack surface and higher business impact of server compromise.
Detection guidance
Monitor Windows Event Viewer for privilege escalation attempts, particularly events indicating SYSTEM-level token creation from low-privilege processes. Enable audit policies for sensitive privilege use (local policy: Audit Privilege Use). Search for unexpected calls to cryptographic APIs or authentication failures within Cryptographic Services logs. Endpoint detection and response (EDR) tools should flag suspicious process privilege elevation chains originating from standard user contexts. Review access logs for systems accessed after the vulnerability publication date to identify potential post-compromise artifacts.
Why prioritize this
This vulnerability merits high-priority remediation due to its 8.4 CVSS score, local privilege escalation capability, and widespread impact across consumer and server Windows versions. The ability to escalate from standard user to SYSTEM without user interaction creates acute risk in multi-tenant or shared-access environments. Organizations should prioritize patching Windows Server systems first due to higher business criticality, followed by Windows 11 endpoints in sensitive roles (developer workstations, administrative jump servers).
Risk score, explained
The 8.4 CVSS score reflects the high severity: local attack vector, no privilege prerequisites, guaranteed impact on confidentiality/integrity/availability, and scoped to the individual system. While not a network-based vulnerability limiting blast radius, the ease of exploitation combined with complete system compromise justifies the HIGH severity classification. The absence of KEV listing suggests organizations have a window to patch proactively before active exploitation becomes widespread.
Frequently asked questions
Do I need local access to exploit this vulnerability?
Yes. An attacker must have local access to the system—either through a compromised user account, physical access, or prior network compromise. However, no elevated privileges are required; a standard user account is sufficient. This makes the vulnerability relevant in shared computing environments, cloud-hosted systems with multi-tenant isolation, and scenarios involving insider threat risks.
What versions of Windows are affected?
Windows 11 (23H2, 24H2, 25H2, 26H1) and Windows Server 2022 and Server 2025 are confirmed affected. If you operate any of these versions, prioritize checking for available security updates. Verify your exact OS build via 'winver' (client) or 'systeminfo' (server) to confirm applicability.
Is there an active exploit or zero-day campaign?
As of the publication date (June 9, 2026), CVE-2026-44810 is not listed in CISA's Known Exploited Vulnerabilities catalog, meaning no confirmed widespread active exploitation has been documented. However, this does not guarantee the flaw is not known or being exploited in targeted campaigns. Treat the vulnerability as high-priority regardless and do not wait for KEV listing before patching.
What is CWE-287 and why does it matter?
CWE-287 is improper authentication—a weakness where a system fails to properly verify the identity or authorization of an entity before granting access to resources. In this case, the cryptographic services component does not properly authenticate callers, allowing privilege escalation. This class of flaw is foundational to security and typically has broad impact.
This analysis is based on vulnerability data published as of June 17, 2026. Patch version numbers, remediation steps, and vendor guidance should be verified against official Microsoft security advisories and your organization's vulnerability management processes. This assessment does not constitute professional security advice; consult your security team and vendor documentation before implementing changes. Exploit code and detailed attack vectors are not provided. Organizations should conduct their own risk assessment based on their infrastructure, threat model, and business context. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10157HIGHOpen5GS NGAP Authentication Bypass Vulnerability – 5G Core Network Risk
- CVE-2026-10167HIGHAuthentication Bypass in BrinaryBrains School Management System
- CVE-2026-10243HIGHSmart Parking System 1.0 Authentication Bypass – Remote Admin Access
- CVE-2026-10281HIGHEnderfga claw-orchestrator Authentication Bypass – Patch Available
- CVE-2026-10288HIGHHotel Reservation System Admin Authentication Bypass
- CVE-2026-10617HIGHGoClaw Webhook Authentication Bypass – Remote Exploitation
- CVE-2026-10619HIGHsayan365 Student-Management-System Remote Authentication Bypass
- CVE-2026-10777HIGHealpha072 Student-Management-System Authentication Bypass in Admin Backend