{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-26174/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-26174"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-26174","privilege-escalation","windows","wsus"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-26174 describes a race condition vulnerability within the Windows Server Update Service (WSUS). Disclosed on April 14, 2026, this flaw allows a locally authenticated attacker with limited privileges to elevate their privileges to SYSTEM. The vulnerability stems from improper synchronization when WSUS handles concurrent requests, leading to a race condition that can be exploited to overwrite critical system files or manipulate system processes. Successful exploitation could grant an attacker full control over the affected system, potentially enabling lateral movement within the network, data exfiltration, or deployment of malware. Due to the critical role of WSUS in managing updates across an enterprise, this vulnerability poses a significant risk to organizations relying on WSUS for patch management.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the target Windows system with a low-privileged account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request designed to trigger the race condition in WSUS. This might involve sending multiple, simultaneous update requests.\u003c/li\u003e\n\u003cli\u003eWSUS processes the crafted requests concurrently, leading to unsynchronized access to shared resources.\u003c/li\u003e\n\u003cli\u003eDue to the race condition, the attacker gains the ability to manipulate a shared resource, such as a temporary file or a registry key, used by WSUS.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the manipulated shared resource to overwrite a critical system file within the WSUS directory (e.g., a DLL loaded by the WSUS service) or modify a registry setting used by WSUS for configuration.\u003c/li\u003e\n\u003cli\u003eWSUS service restarts or reloads the modified component, executing the attacker\u0026rsquo;s injected code with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with SYSTEM privileges, granting them full control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to install malicious software, create new accounts, or perform other unauthorized actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-26174 allows a local attacker to elevate privileges to SYSTEM. This level of access grants complete control over the compromised machine. In a networked environment, this could lead to lateral movement to other systems, exfiltration of sensitive data, or the deployment of ransomware. Given that WSUS is often deployed across numerous systems, a single successful exploit could compromise a large number of machines. The vulnerability has a CVSS v3.1 score of 7.0, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch released by Microsoft to address CVE-2026-26174 on all WSUS servers immediately.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes spawned by the WSUS service (w3wp.exe) using the \u0026ldquo;Detect Suspicious WSUS Child Processes\u0026rdquo; Sigma rule to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor file modifications within the WSUS installation directory (typically \u003ccode\u003eC:\\Program Files\\Update Services\\\u003c/code\u003e) using the \u0026ldquo;Detect WSUS File Modifications\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview WSUS logs for any unusual activity or errors that might indicate an attempted exploitation of CVE-2026-26174.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T18:23:14Z","date_published":"2026-04-14T18:23:14Z","id":"/briefs/2026-04-wsus-privesc/","summary":"CVE-2026-26174 is a race condition vulnerability in Windows Server Update Service that allows an authorized attacker to elevate privileges locally.","title":"Windows Server Update Service (WSUS) Privilege Escalation via CVE-2026-26174","url":"https://feed.craftedsignal.io/briefs/2026-04-wsus-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-26174","version":"https://jsonfeed.org/version/1.1"}