HIGH 7.8

CVE-2026-49161: Microsoft PC Manager Access Control Bypass (CVSS 7.8)

Microsoft PC Manager contains an access control weakness that allows a logged-in attacker to circumvent a built-in security control on the local system. The flaw does not require user interaction and grants an attacker with standard user privileges the ability to read sensitive data, modify system settings, or disable protective features.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-284
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Improper access control in Microsoft PC Manager allows an authorized attacker to bypass a security feature locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-49161 is a local privilege escalation vulnerability rooted in improper access control (CWE-284) within Microsoft PC Manager. An attacker with local user credentials can exploit weak permission checks to bypass a security feature without requiring elevated privileges or user interaction. The CVSS 3.1 score of 7.8 reflects the high impact across confidentiality, integrity, and availability—the attack vector is local, attack complexity is low, and no privileges beyond standard user level are needed.

Business impact

This vulnerability poses a significant risk to organizations relying on Microsoft PC Manager for endpoint protection. An attacker with internal network access or a compromised user account can bypass critical security controls, potentially leading to data theft, system compromise, or disruption of security monitoring. For enterprises managing large fleets of Windows systems, this could expose sensitive business data and weaken overall defensive posture.

Affected systems

Microsoft PC Manager is affected. Organizations should determine which systems in their environment have this utility installed and ensure patch status is tracked across all affected endpoints. Verify the specific product version in your environment against vendor advisories to confirm scope.

Exploitability

The vulnerability is exploitable by any user with local system access—no special privileges or user interaction is required for successful exploitation. This makes it accessible to insider threats, compromised user accounts, or lateral movement scenarios post-breach. However, it is not currently listed in the CISA Known Exploited Vulnerabilities catalog, meaning public weaponized exploits have not been officially documented at this time.

Remediation

Apply security updates from Microsoft targeting CVE-2026-49161 as soon as they become available. Organizations should prioritize patching systems in high-value environments (administrative workstations, sensitive data repositories) first, then roll out organization-wide. Until patches are deployed, restrict local system access through identity governance and monitor for unusual privilege escalation attempts.

Patch guidance

Consult Microsoft's official security advisory for CVE-2026-49161 to identify the correct patched version of PC Manager. Testing should occur in a non-production environment before broad deployment. Organizations using enterprise patch management should prioritize this update given the local attack vector and high impact rating. If automatic updates are enabled, ensure systems are restarted to complete installation.

Detection guidance

Monitor for process execution of PC Manager components by low-privilege accounts attempting to modify system files or security configurations. Audit logs should capture failed and successful access attempts to protected resources. Endpoint Detection and Response (EDR) tools can identify behavioral indicators such as attempts to disable security features or read sensitive registry keys without proper authorization. Log authentication events for unusual local account activity.

Why prioritize this

A CVSS 7.8 HIGH severity score combined with low attack complexity and widespread deployment of PC Manager in enterprise environments warrants prompt remediation. The ability for any local user to bypass security controls directly threatens data confidentiality and system integrity. Although not yet in active exploitation campaigns, the low barrier to entry means this should be treated as a near-term priority.

Risk score, explained

The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H yields a score of 7.8. Local attack vector (AV:L) reflects the need for local access, but this is readily available in corporate environments. Low attack complexity (AC:L) means no special conditions are required. Low privileges (PR:L) indicate standard user accounts are sufficient. The lack of user interaction (UI:N) removes friction from exploitation. High impact across all three pillars (confidentiality, integrity, availability) reflects complete control over system security features.

Frequently asked questions

What is Microsoft PC Manager and why should we care about this vulnerability?

Microsoft PC Manager is a system maintenance and optimization utility deployed on Windows systems. This CVE impacts its access control mechanisms, allowing local users to circumvent security features—a critical risk for organizations relying on it as part of their endpoint hardening strategy.

Do we need to patch immediately if this is not on the KEV list?

Yes. The absence from the CISA KEV catalog does not diminish the risk. It reflects current exploitation data, not the vulnerability's severity or patch urgency. The CVSS 7.8 score and low attack barrier make this a near-term priority regardless of KEV status.

How do we know if PC Manager is installed across our organization?

Use your endpoint management platform or asset inventory tools to search for PC Manager installations. Common detection queries target the executable path or registry keys. Once identified, prioritize systems in sensitive roles (administrative machines, servers handling PII) for immediate patching.

What if we don't use PC Manager? Do we still need to worry?

If PC Manager is not deployed in your environment, you are not directly affected. However, verify this across your fleet—some organizations have it installed without explicit IT oversight, particularly on developer or departmental systems.

This analysis is based on publicly disclosed vulnerability data current as of the publication date. Patch availability, version numbers, and KEV status are subject to change. Organizations must verify patch applicability against their specific PC Manager versions using official Microsoft advisories. This assessment does not constitute professional security advice; consult qualified security professionals for deployment decisions in your environment. No exploit code or weaponized proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).