// 7 ZERO-DAY · 8 CVE · 6 EXPLOIT IN THE LAST 24H
CVE-2026-49805 in Windows WMI Providers enables local privilege escalation to SYSTEM. Microsoft has released patches and rates exploitation as more likely.

On July 15, 2026, Microsoft patched a privilege escalation vulnerability in Windows WMI Providers that allows a local attacker with low privileges to reach SYSTEM level. The vulnerability, tracked as ZDI-26-415 and CVE-2026-49805 with a CVSS 7.0 HIGH rating, was reported by mad31k through Trend Micro's Zero Day Initiative on April 1, 2026. The coordinated advisory release aligns with the standard July Patch Tuesday cycle, with Microsoft rating exploitation likelihood as high.

Key Takeaways
  • CVE-2026-49805 enables local privilege escalation to SYSTEM by exploiting an incorrect authorization configuration in Windows WMI Providers.
  • CVSS v3.1 is 7.0 HIGH: local attack vector, high complexity, low privileges required, no user interaction, complete impact on confidentiality, integrity, and availability.
  • Microsoft rates exploitability as "Exploitation More Likely" but confirms neither active exploitation nor public exploit release.
  • Affected surface spans Windows 10, Windows 11, and Windows Server 2012 through 2025, making asset inventory critical for prioritization.

The Flaw: Incorrect Authorization in WMI Providers

The core of the vulnerability lies in the configuration of Windows WMI Providers. According to the ZDI-26-415 advisory, "the specific flaw exists within the configuration of WMI providers. The issue results from incorrect authorization prior to allowing access to functionality." This missing check allows a process with limited privileges to access functionality reserved for more privileged contexts, resulting in code execution in the SYSTEM context.

The attack requires specific conditions: the attacker must already have the ability to execute code with low privileges on the target system. This is not a remote vulnerability; the AV:L vector string confirms local access is a mandatory prerequisite. High complexity (AC:H) further indicates the exploit requires target environment preparation for reliability, as explicitly stated in the Microsoft advisory.

A Naming Discrepancy: WMI Providers vs. Win32k

An element of particular interest for vulnerability management teams is the divergence in classification of the same vulnerability across authoritative sources. The ZDI-26-415 advisory titles the flaw "Microsoft Windows WMI Providers Incorrect Authorization Local Privilege Escalation Vulnerability," emphasizing WMI Providers as the affected component. The CVE-2026-49805 record and Microsoft advisory instead name it "Win32k Elevation of Privilege Vulnerability," referring to the Windows graphics-kernel subsystem.

The dossier does not clarify whether this discrepancy reflects a different analysis of the same bug — with Win32k interacting with WMI Providers in undocumented ways — or a different naming convention between researchers and vendor. What is certain is that CVE-2026-49805 identifies a single vulnerability: ZDI, Microsoft, and CVE.org converge on ID, CVSS, and impact. For security teams, however, this multiplicity of labels represents a concrete operational risk: automated queries on one name may miss advisories classified under the other, delaying remediation.

Exploitability Assessment and Open Questions

Microsoft assigns the vulnerability an "Exploitation More Likely" rating, meaning exploitation complexity is judged low enough to make functional exploits probable. However, the brief confirms neither public exploit code availability nor documented in-the-wild exploitation: both "Exploited" and "Publicly Disclosed" fields are negative.

Technically relevant elements for understanding the threat model also remain unspecified. The dossier does not identify the exact vulnerable WMI provider, the WMI class involved, or the precise environment preparation techniques required by the AC:H flag. It is also unclear whether the Win32k component mentioned in the CVE/Microsoft title represents the attack vector, the impact component, or both.

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges." — Microsoft Security Response Center, CVE-2026-49805

Why It Matters

The combination of accessible prerequisites — local execution with low privileges — and maximum impact — SYSTEM — makes this vulnerability particularly relevant in initial compromise scenarios. Malware already present on an endpoint or operators with limited access can use it as a bridge to total system control. Microsoft's assessment of probable exploitation, even absent confirmation of active exploitation, indicates the exposure window does not tolerate significant delays.

The broad affected version surface — from Windows Server 2012 through 2025, spanning all consumer and enterprise editions of Windows 10 and 11 — amplifies operational complexity. Organizations with heterogeneous fleets and fragmented patching cycles face an inventory problem before a deployment one: identifying which systems run vulnerable versions is a necessary condition for any effective prioritization.

The dossier specifies no containment measures alternative to installing the Microsoft update. No documented workarounds, temporary mitigations, or security configurations emerge that can reduce the attack surface without the patch. This information gap, while representing a limit of the available brief, imposes a single operational conclusion: the availability of the corrective update is the only confirmed and reliable element in the defense chain.

The Classification Anomaly and the Cost of Tracking

The WMI Providers/Win32k discrepancy is not merely a labeling issue: it impacts automated intelligence systems, cross-feed correlations, and the ability of SOCs to recognize aligned priorities between vendor and researchers. When the same CVE receives technically distinct names, the risk of false negatives in threat intelligence processes increases measurably.

Organizations managing vulnerability management through aggregation platforms should verify their tools recognize both designations as references to the same entity. The cost of this verification is marginal compared to the cost of a system remaining exposed for weeks because it was filtered out by an incorrect keyword.

Questions That Remain

Which systems are actually at risk?

According to the CVE-2026-49805 record, affected versions include Windows 10 in multiple editions, Windows 11, Windows Server 2012/2012 R2, 2016, 2019, and 2025. The Microsoft advisory confirms patches for all supported versions. The dossier does not specify whether out-of-support versions were analyzed or patched.

Does a public exploit exist?

Not at the time of publication. Microsoft indicates "Exploited: No" and "Publicly Disclosed: No." The "More Likely" exploitability assessment refers to the probability of exploit development, not availability.

Why do ZDI and Microsoft use different names for the same vulnerability?

The dossier provides no official explanation for the discrepancy. It is possible that WMI Providers and Win32k interact such that both components are involved in the attack path, or that researchers and vendor prioritized different technical angles in classification. What is certain is that CVE-2026-49805 identifies a single vulnerability with documented impact.

Information is based on the cited advisory and current as of publication.

Sources

Information is based on the cited source and current as of publication.

Sources


Sources and references
  1. zerodayinitiative.com
  2. cve.org
  3. msrc.microsoft.com