Microsoft dropped a critical security patch on June 9, 2026, addressing a severe vulnerability in the Windows Dynamic Host Configuration Protocol (DHCP) Server. Tracked as CVE-2026-45602, this tampering flaw has been assigned a CVSS (Common Vulnerability Scoring System) rating of 9.1 out of 10, placing it firmly in the \u201ccritical\u201d severity category. The company\u2019s official advisory confirms that the vulnerability affects all supported versions of Windows client and server operating systems where the DHCP Server role is enabled. With a network-based attack vector, low complexity, and no requirement for user interaction or authentication, the vulnerability represents a clear and present danger to enterprise networks. Security administrators must patch immediately\u2014there\u2019s no time to waste.

This update is part of Microsoft\u2019s scheduled Patch Tuesday for June 2026 and is the only critical bulletin this month. The flaw was responsibly disclosed through Microsoft\u2019s security research partnership programs, though at least one proof-of-concept exploit is known to exist in private circles, elevating the risk of active exploitation. If your organization runs a Windows DHCP Server\u2014whether on a domain controller, member server, or even a client machine with the feature installed\u2014you need to apply this patch as part of your emergency change management protocol.

Understanding the Windows DHCP Server Role

The DHCP Server automatically assigns IP addresses, subnet masks, default gateways, DNS servers, and other network configuration parameters to client devices. Virtually every enterprise network relies on DHCP to streamline device connectivity, making it a foundational service. When a DHCP server is compromised, an attacker can manipulate these configurations, redirecting traffic through malicious gateways or DNS servers, enabling man-in-the-middle attacks, credential theft, and widespread lateral movement.

Microsoft\u2019s DHCP Server is a built-in role available on Windows Server releases. While client operating systems like Windows 11 Professional and Enterprise can technically install the DHCP Server feature, it is rarely configured outside of lab or test environments. Nevertheless, the vulnerability exists wherever the service is running, regardless of the Windows edition. The tampering classification indicates that an attacker could alter server behavior or data without necessarily executing code directly\u2014but the CVSS 9.1 score signals a complete compromise of confidentiality, integrity, and availability.

CVE-2026-45602 Technical Breakdown

Microsoft\u2019s advisory describes CVE-2026-45602 as a tampering vulnerability in Windows DHCP Server that could allow an unauthenticated, remote attacker to modify DHCP server operations or responses. While the company has not released a full technical deep-dive to prevent weaponization, the CVSS vector sheds light on the attack surface:

  • Attack Vector (AV): Network (N) \u2013 The vulnerability can be triggered over the network without physical access.
  • Attack Complexity (AC): Low (L) \u2013 No specialized conditions or advanced reconnaissance is needed.
  • Privileges Required (PR): None (N) \u2013 The attacker does not need any credentials or prior access.
  • User Interaction (UI): None (N) \u2013 No action is required from a user, such as clicking a link.
  • Scope (S): Unchanged (U) \u2013 The vulnerable component\u2019s security context remains the same, but the impact is still devastating.
  • Confidentiality (C): High (H) \u2013 Complete loss of confidentiality.
  • Integrity (I): High (H) \u2013 Complete loss of trustworthiness of data.
  • Availability (A): High (H) \u2013 Complete denial of service possible.

This combination means an attacker can send a specially crafted network packet to the DHCP server and immediately gain the ability to corrupt the service\u2019s operations. The most likely attack scenario involves injecting malicious DHCP responses that reconfigure client network settings on the fly. For example, an adversary could force clients to use a rogue DNS server, redirecting all domain name resolutions to attacker-controlled infrastructure. From there, they can intercept authentication requests, steal credentials, and move deeper into the network. In more aggressive exploits, the tampering could allow the attacker to serve malicious payloads to clients or even achieve remote code execution on the DHCP server itself through secondary vulnerabilities.

Importantly, CVE-2026-45602 requires no authentication, meaning any machine on the local network segment\u2014or even the internet if the DHCP server is incorrectly exposed\u2014can launch an attack. Typical enterprise networks have DHCP servers listening on UDP port 67, which should be filtered at the perimeter. However, once an attacker gains a foothold on the internal network (via phishing, compromised IoT device, or physical access), pivoting to the DHCP server becomes trivial.

Affected Systems

Microsoft has confirmed that the following operating systems are vulnerable, provided the DHCP Server role is installed and running:

Operating System Status
Windows Server 2025 Affected
Windows Server 2022 Affected
Windows Server 2019 Affected
Windows Server 2016 Affected
Windows 11 (all editions) Affected if DHCP Server is enabled
Windows 10 (all editions) Affected if DHCP Server is enabled

Older versions such as Windows Server 2012 R2 and Windows 8.1 are past end-of-support and are not receiving patches. However, if you are still running these systems in extended support agreements (ESU), contact Microsoft for custom fixes. The vulnerability does not affect client machines that are merely DHCP clients\u2014only the server component is at risk.

Practical Impact and Exploitability

In real-world terms, successful exploitation of CVE-2026-45602 can lead to a full network compromise. Consider a common enterprise setup: The DHCP server is also a domain controller or is tightly integrated with Active Directory. Tampering with DHCP means the attacker can redirect client DNS queries to a malicious server, perform \u201cDHCP poisoning\u201d to become the default gateway, and then capture all outbound traffic. This opens the door to:

  • Credential theft via NTLM relay attacks
  • Pharming and phishing campaigns directly in browsers
  • Distribution of malware through poisoned software updates
  • Complete denial of service by flooding the server with malformed requests

Because the attack requires no user interaction, it can be fully automated. A single exploit script could scan for vulnerable DHCP servers, send the crafted packet, and instantly take control of network configurations for thousands of devices. There is already chatter in underground forums suggesting that a reliable exploit module has been developed for the Metasploit framework, though no public disclosure has been verified at the time of writing.

Mitigation and Workarounds

Patching is the only definitive solution. Microsoft has released security update packages for all supported systems through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. The specific KB numbers will vary by Windows version, but administrators should prioritize these updates over all other non-critical changes.

If immediate patching is impossible, consider the following temporary mitigations:

  1. Disable the DHCP Server role on any machine that does not absolutely require it. Run Get-WindowsFeature -Name DHCP in PowerShell to list servers with the role installed. On Windows client machines, you can simply stop and disable the \u201cDHCP Server\u201d service via services.msc.
  2. Implement network segmentation to restrict access to DHCP server ports. Use firewall rules to allow only authorized DHCP relay agents or clients to communicate with the server on UDP port 67. Block all other inbound traffic to that port.
  3. Enable DHCP server logging and monitor for unusual request patterns. A sudden flood of DISCOVER or REQUEST messages from unrecognized MAC addresses could indicate scanning or exploitation attempts.
  4. Deploy DHCP snooping on managed switches to filter out rogue DHCP server messages and prevent ARP spoofing attacks that often accompany DHCP tampering.
  5. Isolate critical infrastructure VLANs where possible, limiting the blast radius if a DHCP server is compromised.

These measures are not foolproof; determined attackers can often bypass network-level controls. Still, they raise the bar and buy time until patches can be applied.

Broader Context: A History of DHCP Attacks

This isn\u2019t the first time DHCP has been in the security spotlight. In 2019, CVE-2019-0726, a memory corruption bug in Windows DHCP Server, achieved a CVSS score of 9.8 and led to widespread attacks. Similarly, \u201cDHCPwn\u201d and \u201cDHCPig\u201d are well-known tools used in penetration testing to exhaust IP address pools and perform man-in-the-middle attacks. The difference with CVE-2026-45602 is the tampering aspect\u2014rather than causing a crash or code execution, it allows an attacker to silently alter server behavior, making detection extremely difficult. Malicious DHCP responses can persist for the lease duration, meaning clients remain compromised even after the attack is over.

Microsoft\u2019s response to these threats has included hardening measures like DHCP guard in Hyper-V and support for DHCP authentication (DHCPv4 Auth). Yet, many organizations do not enable these features due to compatibility concerns or management overhead. The result is a persistent attack surface that adversaries are more than happy to exploit.

Community Reactions and What We\u2019re Hearing

Security teams across enterprise IT departments have reacted with justified alarm. On the Windows Sysadmin subreddit, one administrator wrote, \u201c9.1 and no auth required? That\u2019s practically a backdoor.\u201d Another noted that their compliance framework mandates patching critical vulnerabilities within 14 days, but most are accelerating to 48 hours given the severity. The consensus among early adopters on Patch Tuesday is that the update applies cleanly and does not appear to break existing DHCP configurations, though some have reported an issue with DHCP failover clusters requiring a manual restart to resume synchronization. Microsoft has acknowledged this in the advisory and recommends additional steps outlined in the associated KB article.

For organizations with strict change control, the recommendation is clear: invoke emergency exception processes and get this patch into production immediately. The balance of risk strongly favors rapid deployment.

The Bottom Line

CVE-2026-45602 represents a critical infrastructure vulnerability that can be exploited with minimal effort. The combination of network-based attack surface, no authentication, and high impact leaves every Windows DHCP Server exposed. With proof-of-concept code likely to surface soon, the window of safety is closing fast. Patch now\u2014tonight if possible\u2014and verify that all DHCP servers, including those in DMZs, branch offices, and shadow IT deployments, are covered. Temporary workarounds can reduce risk but they are not a substitute for the security update.

Monitor Microsoft\u2019s Security Response Center for updates on exploitation status and any emerging post-patch issues. In parallel, review your network architecture to ensure DHCP servers are not reachable from untrusted networks. This vulnerability is a stark reminder that foundational network services demand the same rigorous security scrutiny as internet-facing applications.