Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Windows Active Directory Remote Code Execution Vulnerability

IdentifiersCVE-2026-33826CWE-20· Improper Input Validation

CVE-2026-33826 is a critical remote code execution vulnerability in Windows Active Directory caused by improper input validation in Active Directory RPC handling. An authenticated attacker can exploit the flaw by sending a specially crafted Remote Procedure Call (RPC) to an affected RPC host. Successful exploitation requires the attacker to be on an adjacent network and within the same restricted Active Directory domain as the target system. If triggered successfully, the target executes attacker-controlled code with the same permissions as the RPC service/host.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote code execution on the target Active Directory-associated RPC host with the privileges of the RPC service. This can enable manipulation of Active Directory services, alteration of configurations, compromise of domain security, and facilitate post-compromise lateral movement, malware deployment, and data theft within enterprise environments.

Mitigation

If you can’t patch tonight, do this now.

No specific vendor workaround beyond patching was provided in the supplied content. Practical interim risk reduction is to limit adjacent-network access to affected RPC hosts, restrict authenticated access within the relevant Active Directory domain, reduce unnecessary RPC exposure through segmentation and access controls, and monitor for anomalous crafted RPC activity until patches are deployed.

Remediation

Patch, then assume compromise.

Apply Microsoft’s April 2026 security updates for all affected and supported Windows Server versions. Reported fixes include KB5082126 for Windows Server 2012 R2, KB5082198 for Windows Server 2016, KB5082123 for Windows Server 2019, KB5082142 and KB5082060 for Windows Server 2022 including 23H2 Edition, and KB5082063 for Windows Server 2025. Microsoft indicated both standard installations and Server Core deployments require the update. Administrators should prioritize patching immediately.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 2 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 2 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows Active Directoryoperating_system
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Server 2012 R2operating_system
Microsoft CorporationWindows Server 2016operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system
Microsoft CorporationWindows Server 2022 23h2operating_system
Microsoft CorporationWindows Server 2025operating_system
Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

16 SOURCESView more in app
cyber security newsNews
Apr 15, 2026
Windows Active Directory Vulnerability Allow Attackers to Execute Malicious Code

A critical remote code execution vulnerability in Windows Active Directory caused by improper input validation in RPC handling, allowing an authenticated attacker in the same restricted Active Directory domain to execute code with RPC service privileges.

Read more
cyberthroneNews
Apr 15, 2026
Microsoft Patch Tuesday - April 2026 - TheCyberThrone

A critical Windows Active Directory remote code execution vulnerability that allows an authenticated attacker on an adjacent network to execute code via a crafted RPC call.

Read more
talos intelligence blogNews
Apr 14, 2026
Microsoft Patch Tuesday for April 2026 - Snort Rule and Prominent Vulnerabilities

A critical improper input validation vulnerability in Windows Active Directory that can lead to remote code execution over an adjacent network.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity12

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-33826
NVD
nvd.nist.gov/vuln/detail/CVE-2026-33826
MITRE CWE · CWE-20
Improper Input Validation
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33826