CVE-2026-48578: Windows Secure Boot Privilege Escalation Vulnerability (CVSS 7.9)
CVE-2026-48578 is a privilege escalation flaw in Windows Secure Boot affecting Windows 10 and 11 across multiple versions, as well as Windows Server 2012 through 2025. An attacker who already has administrative credentials on a system can exploit improper access controls to gain elevated privileges, potentially affecting system integrity and confidentiality. The vulnerability requires the attacker to be locally present and authenticated, but does not require user interaction to exploit. This is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.9 HIGH · CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-284
- Affected products
- 24 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Improper access control in Windows Secure Boot allows an authorized attacker to elevate privileges locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from inadequate access control mechanisms in the Windows Secure Boot implementation (CWE-284: Improper Access Control). A high-privileged local user can circumvent Secure Boot's access restrictions, enabling privilege escalation. The attack vector is local, the attack complexity is low, and no user interaction is needed—meaning an authenticated attacker with administrative rights can execute the exploit trivially once they gain initial access. The impact scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component itself, with high impact to both confidentiality and integrity, though availability is not compromised.
Business impact
This vulnerability poses a significant risk to organizations relying on Secure Boot as a security boundary. Secure Boot is intended to prevent unauthorized code from executing at boot time, and compromise of its access controls undermines that protection. An insider threat or an attacker who has already obtained local administrative access could escalate privileges further, potentially obtaining system-level access or kernel-mode execution. In enterprise environments, this could enable lateral movement, persistence mechanisms, or exfiltration of sensitive data. The wide range of affected Windows versions—from Windows 10 1607 through Windows 11 26H1—means remediation spans most modern Windows deployments.
Affected systems
The vulnerability affects a broad swath of Windows releases: Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and all supported Windows Server versions from 2012 R2 through 2025. Organizations running any of these versions should consider themselves at potential risk. Notably, older versions like Windows 10 1607 remain vulnerable, suggesting that even systems nearing or past support lifecycle boundaries remain exposed.
Exploitability
While the vulnerability is not yet documented in CISA's KEV catalog, its attributes indicate moderate practical exploitability. The attack requires an authenticated, high-privileged (administrative) local user, which narrows the threat actor pool compared to remote vulnerabilities. However, many compromise chains lead to local administrative access, and once obtained, the exploit is straightforward to execute due to low attack complexity. The lack of user interaction required makes post-compromise exploitation reliable. Organizations should monitor for any public proof-of-concept or exploitation activity as it may be more likely to appear in real-world attacks targeting systems that have already been partially compromised.
Remediation
Organizations should prioritize patching Windows Secure Boot components across their Windows 10 and Windows 11 fleet. Verify patch availability from Microsoft's security updates and apply them in a staged manner aligned with your change management process. For Windows Server environments, coordinate patching with system availability windows. Because the vulnerability requires local authenticated access, layered defenses—such as strong credential hygiene, multifactor authentication, endpoint detection and response (EDR) solutions, and behavior-based monitoring—remain important even after patching.
Patch guidance
Consult Microsoft's official security updates for this CVE. Patches are expected to be available through Windows Update and WSUS for consumer Windows versions, and through System Center Updates Services (SCCM) or similar channels for server deployments. Test patches in a non-production environment before broad rollout, particularly for Windows Server, to ensure no conflicts with Secure Boot configurations, firmware updates, or security policies. Verify patch installation by checking Windows Update history and confirming Secure Boot integrity checks post-update. Organizations using managed patching services should confirm that their patch deployment tooling includes this CVE in its target list.
Detection guidance
Monitor system logs for unauthorized Secure Boot policy changes, unusual privilege elevation events, or kernel-mode code execution from unexpected processes. Windows Event Viewer logs (Security, System, and kernel-mode audit events) should be reviewed for anomalies. Endpoint Detection and Response (EDR) solutions should be tuned to flag suspicious privilege escalation attempts, particularly those involving Secure Boot or boot-time mechanisms. YARA or signature-based detection rules targeting exploitation artifacts may become available as the security community analyzes this vulnerability further. Ensure that audit policies capture detailed process creation and privilege elevation events.
Why prioritize this
This vulnerability merits high priority due to its CVSS 7.9 score, broad product coverage spanning Windows 10, 11, and multiple Server versions, and its impact on a security-critical component (Secure Boot). Although it requires local authenticated access, the scope-change characteristic and impact on both confidentiality and integrity make it a significant concern for organizations facing insider threats or targeted attacks that have already compromised initial access. The lack of KEV status does not diminish risk; it reflects that active exploitation may not yet be documented, not that the vulnerability is low-risk.
Risk score, explained
The CVSS 3.1 score of 7.9 (HIGH) reflects several factors: local attack vector with high privilege requirements (limiting opportunistic exploitation), low attack complexity (straightforward to exploit once conditions are met), and high impact on confidentiality and integrity with changed scope (meaning privilege escalation can affect other system components and resources). The absence of availability impact prevents a CRITICAL rating. Organizations should treat this as a significant medium-term remediation priority, escalating it above lower-severity flaws but coordinating patching with operational requirements.
Frequently asked questions
Do I need to patch immediately, or can this wait until our regular patch window?
While this is not yet listed in CISA's Known Exploited Vulnerabilities catalog, a CVSS 7.9 HIGH vulnerability affecting Secure Boot should be prioritized. Plan to patch within your next one to two regular maintenance windows, but do not defer indefinitely. If your organization faces elevated insider threat risk or has recently experienced compromise, accelerate patching. Monitor threat intelligence feeds for any shift to active exploitation.
Does this vulnerability affect my system if I am not using Secure Boot?
The vulnerability is specific to Windows Secure Boot implementations. If Secure Boot is disabled in your UEFI/BIOS settings, this particular flaw cannot be exploited through the Secure Boot path. However, most organizations enable Secure Boot as part of their security posture, and disabling it would introduce other security concerns. Patching remains the recommended approach.
Can an unauthenticated attacker exploit this remotely?
No. This vulnerability requires local access and high-level (administrative) authentication. Remote exploitation is not possible. It does not change the fact that insider threats, users with compromised credentials, or attackers who have gained initial system access via other vectors could weaponize this flaw to escalate further.
What should I do if I cannot patch immediately?
Implement compensating controls: enforce strong credential policies and multifactor authentication, use EDR solutions to monitor for suspicious privilege escalation, restrict local administrative access to only necessary personnel, and segment your network to reduce lateral movement risk. However, these measures are not replacements for patching—they are interim risk mitigation only.
This analysis is based on publicly available vulnerability data current as of the publication date. Patch version numbers, availability timelines, and specific remediation steps should be verified directly against Microsoft's official security advisories and your organization's systems. This explainer does not constitute professional security advice; organizations should consult their security teams and relevant compliance frameworks when prioritizing remediation. SEC.co makes no warranty regarding the completeness or accuracy of derivative analysis and recommends independent verification of all recommendations. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11179HIGHChrome ORB Site Isolation Bypass (CVSS 8.8)
- CVE-2026-41092HIGHMicrosoft Kinect Local Privilege Escalation Vulnerability
- CVE-2026-42829HIGHWindows 11 Administrator Protection Bypass (CVSS 7.8 HIGH)
- CVE-2026-45649HIGHOffice for Android Access Control Flaw Enables Document Spoofing
- CVE-2026-45654HIGHWindows Secure Boot Access Control Bypass – CVSS 7.9 HIGH
- CVE-2026-45658HIGHWindows BitLocker Access Control Bypass Vulnerability
- CVE-2026-49161HIGHMicrosoft PC Manager Access Control Bypass (CVSS 7.8)
- CVE-2026-11017MEDIUMChrome Link Preview Navigation Bypass (CVSS 6.5)