HIGH 7.8

CVE-2026-45656: Windows UEFI Protection Mechanism Bypass (CVSS 7.8)

A flaw in Windows UEFI firmware allows someone with local access to bypass a built-in security protection. The attacker must already have basic user privileges on the system, but once exploited, they can read sensitive data, alter system files, or disable critical functions. This is a protection mechanism failure—think of it as a lock that should prevent unauthorized actions but doesn't work correctly under certain conditions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-693
Affected products
24 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Protection mechanism failure in Windows UEFI allows an authorized attacker to bypass a security feature locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45656 is a protection mechanism failure (CWE-693) in the Windows UEFI implementation that permits privilege escalation or security feature circumvention. The vulnerability has a CVSS 3.1 score of 7.8 (HIGH), with a local attack vector requiring low privileges and no user interaction. The impact scope is unchanged, but confidentiality, integrity, and availability are all rated high, indicating that successful exploitation grants broad system compromise. The flaw resides in UEFI firmware validation or enforcement logic, allowing an authenticated local user to bypass intended security controls.

Business impact

Organizations running affected Windows versions face a significant risk of privilege escalation and credential theft. A user with standard account privileges could escalate to administrative capabilities or extract sensitive data resident in protected memory or disk regions. In environments where endpoint security depends on firmware-level protections (such as Secure Boot or measured boot), this vulnerability undermines those guarantees. Server deployments are particularly concerning: compromise of a single user account could lead to host takeover, lateral movement, and data exfiltration.

Affected systems

The vulnerability affects a broad Windows footprint: Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Windows Server editions 2012, 2016, 2019, 2022, and 2025. Legacy and current-generation platforms are in scope, necessitating wide-ranging remediation efforts. Organizations should inventory systems by version to prioritize patch deployment.

Exploitability

The vulnerability requires local system access and user-level privileges—it is not remotely exploitable. However, the low complexity and absence of user interaction requirements mean that once an attacker holds a user account, exploitation is straightforward and reliable. The risk is highest in multi-tenant environments, shared workstations, and systems where non-administrative users have network logon capabilities. It is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, but the ease of exploitation and high impact suggest close monitoring is warranted.

Remediation

Microsoft must issue security updates for each affected Windows version and server edition. Organizations should prioritize patching in this order: (1) internet-facing servers and domain controllers, (2) workstations with internet access or email, (3) internal workstations and legacy systems. Patch availability and specific version numbers should be verified against Microsoft's official security advisories. Until patches are deployed, consider restricting local account creation and enforcing multi-factor authentication on all user accounts to reduce the likelihood of an attacker gaining initial access.

Patch guidance

Monitor Microsoft's security updates and apply patches as soon as they become available for your Windows versions. Given the breadth of affected products (spanning Windows 10, Windows 11, and multiple Server editions), plan for staged rollouts to avoid operational disruption. Test patches in a non-production environment first. Verify compatibility with line-of-business applications and security tools before broad deployment. Use Windows Update for client systems; Windows Server Update Services (WSUS) or other patch management tools for enterprise environments.

Detection guidance

Monitor for unusual UEFI firmware modifications, unexpected privilege escalation attempts, or suspicious system service activity originating from user-mode processes. Host-based detection can focus on anomalous firmware access patterns and attempts to disable or bypass Secure Boot or attestation features. Log authentication events for success/failure of lateral movement attempts following initial compromise. Firmware-level monitoring (if available) and Trusted Platform Module (TPM) attestation logs may reveal tampering. Endpoint Detection and Response (EDR) solutions should flag privilege escalation chains initiated from low-privilege user accounts.

Why prioritize this

This vulnerability merits high priority due to its 7.8 CVSS score, broad system impact (confidentiality, integrity, and availability), ubiquitous presence across Windows client and server editions, and the ease with which a local user can exploit it. While it requires pre-existing access, it is a post-compromise escalation vector that undermines fundamental OS security boundaries. The lack of current KEV tracking does not diminish urgency; proactive patching is critical given the ease of exploitation and the severity of the resulting compromise.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects high severity: local attack vector (AV:L) with low complexity (AC:L), requiring only low privileges (PR:L) and no user interaction (UI:N). Although the scope is unchanged (S:U), all three impact metrics—confidentiality, integrity, and availability—are rated high (C:H/I:H/A:H). This combination indicates that once exploited, the attacker gains broad control over system resources and data. The high score appropriately captures the critical nature of bypassing a core Windows UEFI protection mechanism.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. CVE-2026-45656 requires local system access with user-level privileges. It is not remotely exploitable over a network. However, any method that grants an attacker a user account—phishing, credential compromise, or lateral movement from another compromised system—is a vector for initial access.

What is a UEFI protection mechanism, and why does its failure matter?

UEFI is the low-level firmware that initializes hardware before the operating system loads. Protection mechanisms like Secure Boot, measured boot, and firmware signing prevent unauthorized modification of system code at the firmware level. A failure in these mechanisms allows an attacker to modify or disable fundamental security controls, potentially persisting malware below the OS layer where traditional antivirus solutions cannot detect it.

Do I need to patch immediately, or can I wait for the next patch cycle?

Given the high severity and ease of exploitation, patching should be prioritized within your normal maintenance window but not deferred to a later cycle. If your systems are exposed to untrusted users or are internet-facing, consider accelerated patching. Verify patch availability from Microsoft and test in a lab environment before broad deployment.

Is this vulnerability being actively exploited in the wild?

As of the published date, CVE-2026-45656 is not listed in CISA's Known Exploited Vulnerabilities catalog. However, the low complexity and high impact make it an attractive target. Assume active exploitation is possible and prioritize patching accordingly rather than waiting for public confirmation of in-the-wild attacks.

This analysis is based on publicly available vulnerability data current as of the publication and modification dates listed. Specific patch version numbers, availability dates, and remediation timelines must be verified against Microsoft's official security advisories and your organization's patch management system. Testing in a non-production environment is strongly recommended before deploying patches to production systems. This document does not constitute legal or compliance advice; consult your security and compliance teams regarding your organization's specific obligations and risk tolerance. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).