Microsoft’s July 14, 2026 security release includes a patch for CVE-2026-50365, an elevation-of-privilege vulnerability in the Windows Remote Procedure Call infrastructure that can give an unauthenticated attacker full control of a system—provided they can reach it from an adjacent network.
Rated Important by Microsoft with a CVSS 3.1 base score of 8.0, the flaw stems from improper authentication in a Remote Access Management service/API RPC server. It affects nearly every supported Windows version, from desktops running Windows 10 1607 all the way to Windows Server 2025, and reaches back to legacy Server 2012 installations under Extended Security Updates (ESU).
This isn’t a zero-day. Microsoft says there was no public disclosure or known exploitation when the patch shipped. But the combination of low attack complexity, no privilege requirement, and high impact makes this update one to deploy methodically rather than at leisure, especially in environments where lateral movement is a real risk.
The Patch: What It Fixes and Which Systems Need It
CVE-2026-50365 lives in the Windows RPC subsystem—the backbone for countless management and communication tasks. Microsoft describes the issue as an authentication bypass that allows an unauthorized attacker to escalate privileges, though the company has kept technical details sparse. What’s clear is that an attacker who successfully exploits the bug could achieve high-impact compromise across confidentiality, integrity, and availability.
The fix arrives via cumulative updates for all affected platforms. Below are the minimum required builds to be safe; anything older than these versions remains vulnerable.
| Operating System | Minimum Safe Build |
|---|---|
| Windows 10 1607 / Server 2016 | 14393.9339 |
| Windows 10 1809 / Server 2019 | 17763.9020 |
| Windows 10 21H2 | 19044.7548 |
| Windows 10 22H2 | 19045.7548 |
| Windows 11 24H2 | 26100.8875 |
| Windows 11 25H2 | 26200.8875 |
| Windows 11 26H1 | 28000.2525 |
| Windows Server 2012 | 9200.26226 |
| Windows Server 2012 R2 | 9600.23291 |
| Windows Server 2022 | 20348.5386 |
| Windows Server 2025 | 26100.33158 |
Two entries deserve special attention. First, Windows Server 2012 and 2012 R2 are only covered if you have an active ESU agreement; the normal Windows Update channel won’t deliver the fix. Second, several Windows 10 editions (including 21H2 and 22H2) have passed end-of-service dates in standard support, so they too need to be part of an extended update program—don’t assume automatic patching.
Why “Adjacent Network” Doesn’t Mean Harmless
The CVSS vector string is AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. That adjacent network requirement (AV:A) is the most significant limiting factor: an attacker can’t launch this from across the open internet without first establishing a foothold on your local segment, a shared VLAN, a VPN connection, or another logically adjacent network point.
In practice, this limitation shrinks the pool of potential initial attackers, but it does not neutralize the danger. Once a single workstation or server inside your perimeter is compromised—through phishing, credential theft, or an exposed service—the attacker immediately lands on an adjacent network. From there, CVE-2026-50365 becomes a powerful lateral-movement tool that requires no additional credentials.
Microsoft also notes that user interaction is required (UI:R), but details are absent. Don’t count on a glaring warning box or a strange attachment. In many RPC vulnerabilities, interaction can be as subtle as a service requesting data or a scheduled task running. Until researchers reverse-engineer the patch, treat this as a variable that might be easier to satisfy than you think.
The low attack complexity (AC:L) and no privileges required (PR:N) are the real red flags. An attacker who merely shares a network doesn’t need a domain account or an existing token to attempt exploitation. Combined with high C/I/A impacts, a successful attack could hand over complete control of the target’s security context.
Practical Impact: Home Users to Enterprise
Home users running Windows 10 or 11 will likely have the update applied automatically. Confirm your build version by typing winver in the Start menu—if the number matches or exceeds the table above, you’re covered. For most home setups, the adjacent-network clause means an internet-based attacker can’t reach you directly, but if you share a network with other unmanaged devices, patch promptly.
Enterprise administrators face a tougher job. The vulnerability’s presence in Server 2012 and Server 2016 demands checking the entire fleet, including VMs and out-of-band management systems often overlooked during patch cycles. RPC is deeply woven into domain operations, so indiscriminate blocking can break functionality. Instead, use network segmentation as a layered defense: restrict RPC traffic between user subnets and privileged server networks, and ensure VPN clients land in isolated address ranges.
Developers who build RPC servers or clients should review their own authentication mechanisms, but the immediate concern is ensuring their development machines are patched—these often have looser network profiles and are popular beachheads for attackers.
How We Got Here
CVE-2026-50365 isn’t an isolated find. Windows RPC has been a recurrent target for privesc bugs because of its ubiquity and complexity. In recent years we’ve seen similar flaws, like PetitPotam and various print spooler vulnerabilities, that chained RPC issues with other exploits. This one is simpler: exploit the authentication bypass directly.
Microsoft’s advisory appeared without fanfare on July 14, rated Important rather than Critical, likely because of the adjacent-network requirement. The National Vulnerability Database and CISA have both acknowledged the entry and noted no observed exploitation, with CISA assessing that the bug is not readily automatable. Those assessments are correct, but they’re bounded by the information available today. Patch analysis will inevitably reveal the specific RPC interface and API fingerprints, which can lead to proof-of-concept code.
Action Plan: Now, Next, and Ongoing
- Patch immediately. Apply the July 2026 cumulative update to all supported Windows machines. For ESU-covered systems, follow your vendor or cloud provider’s update channel; don’t delay.
- Verify build numbers. A deployment tool’s success message isn’t enough. Spot-check build versions via
winver,systeminfo, or a configuration management database. Pay special attention to laptops that may not have restarted successfully. - Segment your network. Ensure that user subnets, guest wireless, and VPN pools cannot directly initiate RPC connections to server management interfaces or domain controllers. This won’t stop every attack path, but it raises the bar.
- Monitor for unusual RPC activity. While Microsoft hasn’t released specific indicators of compromise (IOCs) for CVE-2026-50365, watch for unexpected remote calls from workstations that don’t normally initiate them, or spikes in RPC traffic across segment boundaries.
- Revisit legacy systems. If you’re still running Server 2012 or 2012 R2, confirm your ESU license is active and that you’re receiving updates. If ESU isn’t in place, you’re not protected—plan an upgrade or implement extremely tight network isolation.
Outlook: What Comes Next
The patch will be reverse-engineered. It’s only a matter of time before researchers publish the vulnerable RPC interface and maybe a proof of concept. When that happens, the risk calculus shifts from “theoretical but unvalidated” to “demonstrated and scannable.”
Keep an eye on Microsoft’s Security Update Guide, as the company occasionally revises exploitability assessments when new information surfaces. For now, the smart move is to treat CVE-2026-50365 as a vulnerability that removes an authentication gate from the lateral-movement map of your network. That’s a door best closed before someone finds a way to walk through.