On July 14, 2026, Microsoft patched a vulnerability in the Windows FTP Service that could allow an attacker to remotely execute code on a server with no authentication. The flaw, dubbed CVE-2026-49172, received a CVSS severity score of 9.8 out of 10 — yet Microsoft’s advisory labels it only “Important.” That disconnect has cybersecurity professionals sounding alarms, especially for organizations still running Internet-connected FTP servers.
The Vulnerability at a Glance
CVE-2026-49172 is a heap-based buffer overflow (CWE-122) in the Windows FTP Service, a component of Internet Information Services (IIS). Its CVSS 3.1 vector describes an attack that requires no user interaction, no privileges, and low complexity over a network connection. In plain terms, a remote attacker can craft malicious FTP traffic that corrupts memory on the target, potentially leading to full code execution.
The bug exists because the service mishandles certain input, writing beyond an allocated heap buffer. Microsoft hasn’t disclosed the exact FTP command or sequence that triggers the overflow, which means defenders can’t rely on simple protocol signatures to block an exploit. The only complete fix is the security update itself.
Despite its critical technical profile — attacks can hit without any prior access and compromise the confidentiality, integrity, and availability of the system — Microsoft assigned a severity rating of “Important” rather than “Critical.” The Zero Day Initiative’s July review highlighted this mismatch, alongside two other 9.8-score vulnerabilities that also received the lower label. For administrators, the CVSS number must drive prioritization, regardless of Microsoft’s internal classification.
Who’s At Risk? It’s Not Everyone Running Windows
The affected-product list spans Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, and Windows Server 2025 — but having one of these operating systems doesn’t make a machine vulnerable by default. The vulnerable component is the FTP Server role, an optional IIS feature that must be explicitly installed. A typical workstation or a lightly configured server won’t have it running.
That said, FTP often lurks in corners. A manufacturing line, a scanner drop, a legacy website publishing workflow — these can leave an FTP server active on a system nobody considers a target. The worst-case scenario is an Internet-facing FTP endpoint that survived years of infrastructure changes without regular patching. Inside the network, an FTP server can be reached by a compromised workstation or malicious insider, making prompt patching essential even for internal-only servers.
To find your exposed systems, don’t stop at operating system lists. Use PowerShell to check for the FTP role components:
Get-WindowsFeature Web-Ftp-Server, Web-Ftp-Service, Web-Ftp-Ext
Then confirm whether the service is actually running, which interfaces it listens on, and whether TCP port 21 (and the data port range) is reachable. Vulnerability scanners and configuration management databases can help, but a manual or scripted inventory ensures nothing hides behind outdated records. Systems accepting FTP connections from the Internet, partner networks, or guest VLANs demand immediate attention.
The Fix: Builds You Need
Microsoft’s July 14, 2026 security updates deliver the corrected binaries. Patch deployment must be verified against these minimum fixed builds:
| Windows Version / Edition | Fixed Build | Key KB |
|---|---|---|
| Windows 10 21H2 | 19044.7548 | Cumulative update package |
| Windows 10 22H2 | 19045.7548 | Cumulative update package |
| Windows 11 23H2 | 22631.7376 | KB5099414 |
| Windows 11 24H2 | 26100.8875 | Cumulative update package |
| Windows 11 25H2 | 26200.8875 | Cumulative update package |
| Windows Server 2019 | 17763.9020 | Cumulative update package |
| Windows Server 2022 | 20348.5386 | Cumulative update package |
| Windows Server 2025 | 26100.33158 | KB5099536 |
The table covers mainstream server and client editions. If you manage LTSC releases, Windows 10 version 1607, version 1809, Server Core, or Windows 11 26H1, consult Microsoft’s Security Response Center product table to match your exact OS with the correct servicing package.
A special note on Windows 10: general support for version 22H2 ended in October 2025, but devices in eligible servicing programs (including Extended Security Updates) may still receive the fix. Don’t assume an unsupported PC is entitled to the update just because a fixed build number appears in vulnerability data. Check your licensing and patch delivery channel carefully.
Verify installation by inspecting the build number (winver or (Get-ComputerInfo).OsBuildNumber) after a reboot. Update-management tools such as Windows Server Update Services, Intune, or Configuration Manager can report deployment success, but the endpoint’s live version is the only sure proof.
One compatibility caveat: the July updates enforce new Transport Driver Interface (TDI) registration requirements. Applications that use unregistered third-party transports may fail. Test updates against networking software that hooks deeply into the Windows network stack, but don’t let this delay protecting a reachable FTP server.
Why FTP Remains a Ticking Time Bomb
FTP dates back to the early days of the Internet, and its presence on a modern network usually indicates a legacy workflow nobody wants to touch. Scanners, industrial controllers, automated file drops, and static-site publishing often rely on plain FTP or FTPS. Those servers tend to have broad firewall rules, weak credentials, and scant patch discipline — the exact combination that makes a 9.8 RCE catastrophic.
Crucially, switching to FTPS (FTP over TLS) does not sidestep CVE-2026-49172. The vulnerability lies in the underlying service, not the plaintext protocol. Unless Microsoft explicitly documents FTPS as a mitigation, treat all FTP Service instances equally vulnerable.
No public exploit code is known yet, and Microsoft did not report active attacks at disclosure. However, the low complexity and network accessibility mean exploit development is likely once attackers diff the patched and unpatched binaries. The window between patch release and in-the-wild exploitation gets shorter every year.
Your Patching Checklist
1. Inventory every Windows system running the FTP Service.
Use the PowerShell command above, server management tools, or asset databases. Flag any server where the FTP role is installed, even if it’s reported as “disabled.”
2. Prioritize Internet-facing and semi-trusted zone endpoints.
Servers accepting FTP from the public internet, partner extranets, or guest networks go to the top of the list. Internal-only servers come next.
3. Apply the July 2026 cumulative update and reboot.
Push the update through your standard patch management pipeline. On critical servers, schedule a maintenance window and confirm the fixed build number afterward.
4. If you can’t patch immediately, reduce exposure.
- Stop the FTP service (net stop ftpsvc).
- Disable the FTP Server role via Server Manager.
- Restrict network access to known source IP addresses.
- Place the server behind a VPN, requiring authenticated access before FTP connections are possible.
5. Review logs for past exploit attempts.
Look for abnormal FTP session patterns — bursts of connections, malformed commands, service crashes, or unexpected child processes spawned by the FTP service. Without a known exploit signature, focus on behavioral anomalies.
6. Plan to retire FTP where possible.
Replace legacy FTP with SFTP, HTTPS-based file transfers, managed file transfer solutions, or tightly scoped cloud storage. Every removed FTP role shrinks your attack surface for future flaws.
What’s Next
The absence of a public proof-of-concept today doesn’t guarantee a long grace period. Reverse-engineering the July patches will almost certainly reveal the overflow mechanics, and exploit code typically follows within days or weeks. Security researchers and criminal groups alike watch these high-score bugs closely.
Microsoft may update the advisory if they detect active exploitation or revise the severity rating. For now, the gap between a 9.8 CVSS score and an “Important” label serves as a reminder that patch prioritization should rely on objective risk, not vendor nouns. Every organization running a Windows FTP server should move that system onto the July 14 build — before the internet makes that decision for them.