{
"title": "Microsoft’s July Patch Tuesday Closes SNMP Data Leak in Windows NPS",
"content": "Microsoft’s July 14, 2026 security updates address a critical information-disclosure vulnerability in Windows Network Policy Server that can be triggered remotely without any form of authentication. CVE-2026-50470, an out-of-bounds read in the SNMP component, has a CVSS 3.1 base score of 7.5 and is rated Important by Microsoft. An attacker on the same network as a vulnerable NPS server—or one that can route packets to it—can send a malicious SNMP request and read portions of the server’s memory, potentially exposing configuration data, credentials, or other sensitive information.

A Deep Dive into the Out-of-Bounds Read

CVE-2026-50470 is categorized as CWE-125, an out-of-bounds read. This type of flaw happens when software processes input without properly validating the size of the data, causing a read operation to go beyond the allocated buffer. The vulnerable component sits in how Windows handles SNMP requests directed at the Network Policy Server role. SNMP is a protocol used for monitoring and managing network devices; when enabled on Windows, it listens for queries on UDP port 161. The flaw does not require an attacker to have any prior access—no credentials, no user login, no trickery—just a direct line to the SNMP service.

The National Vulnerability Database spells out the ease of exploitation: attack vector Network (AV:N), attack complexity Low (AC:L), privileges required None (PR:N), user interaction None (UI:N). The scope is Unchanged, so the vulnerability stays within the exploited component’s security context. Only confidentiality is impacted, but with a High rating because the information that can be leaked may include keys, passwords, or detailed server internals. No integrity or availability impact means the server won’t crash or alter data; it remains fully functional while silently leaking secrets.

Microsoft hasn’t disclosed the exact nature of the leaked memory. However, an NPS server handles RADIUS authentication for network access—VPNs, Wi-Fi, wired 802.1X—so its memory often contains authentication secrets, shared secrets for RADIUS clients, and IP address-to-user mappings. An attacker eavesdropping on this data could gain enough information to forge authentication responses, impersonate a user, or move laterally across the network.

Who Exactly Needs to Worry?

The list of affected software is broad, but the real risk depends on whether the SNMP feature is active and network-reachable. Microsoft has confirmed that the vulnerability exists in:

  • Windows Server 2012, 2016, 2019, 2022, and 2025, including Server Core
  • Windows 10 versions 1607, 1809, 21H2, and 22H2
  • Windows 11 versions 24H2, 25H2, and 26H1
On a standard Windows client installation, SNMP is not turned on. Most home users, even on older Windows 10 builds, have nothing to fear unless they manually added the SNMP feature via “Turn Windows features on or off” and left it open on the network. The update is still advisable because it hardens the OS against future misconfigurations, but immediate zero-hour panic is unwarranted for consumer devices.

For enterprise environments, the story is different. Network Policy Server is a server role, and it’s often installed alongside SNMP so that monitoring suites like Microsoft System Center, PRTG, or SolarWinds can track authentication request rates, server health, and performance counters. These NPS instances sit on critical network segments—often the same management VLAN as domain controllers, certificate servers, and firewalls. If an attacker can reach that VLAN, even from a compromised client box, exploiting CVE-2026-50470 becomes trivial. The lack of required authentication means that a simple UDP packet can start exfiltrating data.

What the July 2026 Patch Tuesday Really Includes

Microsoft bundles fixes for multiple SNMP vulnerabilities in this release. Alongside CVE-2026-50470, another information-disclosure flaw—CVE-2026-50496—carries the same title, rating, and score. Both stem from the same functional area and are addressed in the cumulative updates. Organizations should not attempt to cherry-pick fixes; applying the full monthly rollup is the only supported path.

The specific KB updates containing the patches are:

Operating SystemPatch KB
Windows Server 2016KB5099535
Windows Server 2019KB5099538
Windows Server 2022KB5099540
Windows Server 2025KB5099536
Windows 11 24H2/25H2KB5101650
Windows 11 26H1KB5101649
For older Windows 10 releases still under support, the corresponding July security update or monthly rollup includes the fix. If your organization has purchased Extended Security Updates (ESU) for Windows Server 2012 or older Windows 10 versions, ensure the ESU-specific package is deployed—a common oversight is assuming the regular update applies to all editions.

All these updates require a reboot. For NPS servers that handle live RADIUS traffic, this means planning a maintenance window that either includes server redundancy or coordinates with network teams to avoid authentication outages. A rolling restart of a cluster of NPS proxy servers is the safest approach.

How We Got Here: The Legacy of SNMP on Windows

SNMP dates back to the late 1980s and remains ubiquitous in infrastructure monitoring. Microsoft introduced the SNMP service as part of the Windows NT stack, and it persists as an optional feature in modern Windows Server and client releases. The protocol itself is simple: a management system sends a query (GetRequest, GetNextRequest) to an SNMP agent on the target device, and the agent responds with the requested data. Over the years, security researchers have uncovered many implementation flaws in SNMP agents, often related to how they parse variables and handle message lengths.

An out-of-bounds read like CVE-2026-50470 typically originates from a forgotten bounds check—a buffer is allocated for an expected-size variable, but the code doesn’t verify that the incoming data fits. When the SNMP daemon parses a request, it reads beyond that buffer into adjacent memory. This class of vulnerability has appeared in Windows before (for example, in the IPv6 stack and in the Graphics component), but an SNMP-related issue on a server handling authentication is particularly dangerous because the adjacent memory often holds secrets.

The fact that Microsoft issued two separate but equally severe SNMP NPS vulnerabilities in the same month suggests that the code underwent a thorough security audit—or that a researcher reported a cluster of related bugs. For defenders, the crucial takeaway is that these are not theoretical; patches exist because the problems are real and exploitable.

Immediate Steps to Secure Your Network

1. Deploy the Updates

The only permanent mitigation is installing the July 2026 patches. Use your existing deployment tools—Windows Server Update Services, Microsoft Endpoint Manager, or a third-party patching solution—to push the update to all affected servers and clients. Prioritize NPS servers first, then any system with SNMP enabled.

2. Limit Network Exposure

If an immediate reboot isn’t possible, reduce the SNMP attack surface immediately:

  • On each NPS server, open the Windows Defender Firewall and create a rule that blocks incoming UDP traffic on port 161 and 162 from all IP addresses except your authorized monitoring servers.
  • On network switches and routers, add access control lists (ACLs) that deny SNMP traffic from user VLANs, guest networks, and the internet to your server subnets.
  • If using SNMPv1/v2c, replace weak community strings with complex values as a stopgap, but plan to migrate to SNMPv3 with authentication and encryption to prevent even basic packet interception.

3. Disable SNMP Where Unused

Many NPS deployments enable SNMP by default but never actually use it. Verify with your monitoring team that SNMP is essential. If no tools query the server, stop and disable the service via PowerShell:

powershell Stop-Service -Name SNMP -Force Set-Service -Name SNMP -StartupType Disabled

Test thoroughly before doing this widely—a broken monitoring link can mean missed authentication failures or capacity problems.

4. Verify Patch Installation

After the update, don’t simply rely on the WSUS console. On each NPS server, run:

powershell Get-HotFix -Id KB5099538 # example for Server 2019

Check the build number matches the expected updated version (you can find the correct build in Microsoft’s update documentation). Also, confirm that the SNMP service