CVE-2026-49161: Microsoft PC Manager Access Control Bypass (CVSS 7.8)
Microsoft PC Manager contains an access control weakness that allows a logged-in attacker to circumvent a built-in security control on the local system. The flaw does not require user interaction and grants an attacker with standard user privileges the ability to read sensitive data, modify system settings, or disable protective features.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-284
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Improper access control in Microsoft PC Manager allows an authorized attacker to bypass a security feature locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49161 is a local privilege escalation vulnerability rooted in improper access control (CWE-284) within Microsoft PC Manager. An attacker with local user credentials can exploit weak permission checks to bypass a security feature without requiring elevated privileges or user interaction. The CVSS 3.1 score of 7.8 reflects the high impact across confidentiality, integrity, and availability—the attack vector is local, attack complexity is low, and no privileges beyond standard user level are needed.
Business impact
This vulnerability poses a significant risk to organizations relying on Microsoft PC Manager for endpoint protection. An attacker with internal network access or a compromised user account can bypass critical security controls, potentially leading to data theft, system compromise, or disruption of security monitoring. For enterprises managing large fleets of Windows systems, this could expose sensitive business data and weaken overall defensive posture.
Affected systems
Microsoft PC Manager is affected. Organizations should determine which systems in their environment have this utility installed and ensure patch status is tracked across all affected endpoints. Verify the specific product version in your environment against vendor advisories to confirm scope.
Exploitability
The vulnerability is exploitable by any user with local system access—no special privileges or user interaction is required for successful exploitation. This makes it accessible to insider threats, compromised user accounts, or lateral movement scenarios post-breach. However, it is not currently listed in the CISA Known Exploited Vulnerabilities catalog, meaning public weaponized exploits have not been officially documented at this time.
Remediation
Apply security updates from Microsoft targeting CVE-2026-49161 as soon as they become available. Organizations should prioritize patching systems in high-value environments (administrative workstations, sensitive data repositories) first, then roll out organization-wide. Until patches are deployed, restrict local system access through identity governance and monitor for unusual privilege escalation attempts.
Patch guidance
Consult Microsoft's official security advisory for CVE-2026-49161 to identify the correct patched version of PC Manager. Testing should occur in a non-production environment before broad deployment. Organizations using enterprise patch management should prioritize this update given the local attack vector and high impact rating. If automatic updates are enabled, ensure systems are restarted to complete installation.
Detection guidance
Monitor for process execution of PC Manager components by low-privilege accounts attempting to modify system files or security configurations. Audit logs should capture failed and successful access attempts to protected resources. Endpoint Detection and Response (EDR) tools can identify behavioral indicators such as attempts to disable security features or read sensitive registry keys without proper authorization. Log authentication events for unusual local account activity.
Why prioritize this
A CVSS 7.8 HIGH severity score combined with low attack complexity and widespread deployment of PC Manager in enterprise environments warrants prompt remediation. The ability for any local user to bypass security controls directly threatens data confidentiality and system integrity. Although not yet in active exploitation campaigns, the low barrier to entry means this should be treated as a near-term priority.
Risk score, explained
The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H yields a score of 7.8. Local attack vector (AV:L) reflects the need for local access, but this is readily available in corporate environments. Low attack complexity (AC:L) means no special conditions are required. Low privileges (PR:L) indicate standard user accounts are sufficient. The lack of user interaction (UI:N) removes friction from exploitation. High impact across all three pillars (confidentiality, integrity, availability) reflects complete control over system security features.
Frequently asked questions
What is Microsoft PC Manager and why should we care about this vulnerability?
Microsoft PC Manager is a system maintenance and optimization utility deployed on Windows systems. This CVE impacts its access control mechanisms, allowing local users to circumvent security features—a critical risk for organizations relying on it as part of their endpoint hardening strategy.
Do we need to patch immediately if this is not on the KEV list?
Yes. The absence from the CISA KEV catalog does not diminish the risk. It reflects current exploitation data, not the vulnerability's severity or patch urgency. The CVSS 7.8 score and low attack barrier make this a near-term priority regardless of KEV status.
How do we know if PC Manager is installed across our organization?
Use your endpoint management platform or asset inventory tools to search for PC Manager installations. Common detection queries target the executable path or registry keys. Once identified, prioritize systems in sensitive roles (administrative machines, servers handling PII) for immediate patching.
What if we don't use PC Manager? Do we still need to worry?
If PC Manager is not deployed in your environment, you are not directly affected. However, verify this across your fleet—some organizations have it installed without explicit IT oversight, particularly on developer or departmental systems.
This analysis is based on publicly disclosed vulnerability data current as of the publication date. Patch availability, version numbers, and KEV status are subject to change. Organizations must verify patch applicability against their specific PC Manager versions using official Microsoft advisories. This assessment does not constitute professional security advice; consult qualified security professionals for deployment decisions in your environment. No exploit code or weaponized proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11179HIGHChrome ORB Site Isolation Bypass (CVSS 8.8)
- CVE-2026-41092HIGHMicrosoft Kinect Local Privilege Escalation Vulnerability
- CVE-2026-42829HIGHWindows 11 Administrator Protection Bypass (CVSS 7.8 HIGH)
- CVE-2026-45649HIGHOffice for Android Access Control Flaw Enables Document Spoofing
- CVE-2026-45654HIGHWindows Secure Boot Access Control Bypass – CVSS 7.9 HIGH
- CVE-2026-45658HIGHWindows BitLocker Access Control Bypass Vulnerability
- CVE-2026-48578HIGHWindows Secure Boot Privilege Escalation Vulnerability (CVSS 7.9)
- CVE-2026-11017MEDIUMChrome Link Preview Navigation Bypass (CVSS 6.5)