CVE-2026-0386

Name of the Vulnerable Software and Affected Versions Windows Deployment Services versions prior to January 2026 updates Windows Server 2016 versions prior to KB5034651 Windows Server 2019 versions prior to KB5034650 Windows Server 2022 versions prior to KB5034129

Description An improper access control issue exists in Windows Deployment Services (WDS). This allows an unauthenticated attacker on an adjacent network to execute arbitrary code on WDS servers. The root cause is a combination of CWE-284 (Improper Access Control) and a stack-based buffer overflow. Specifically, an authentication bypass in

wdsserver.dll

enables the execution of arbitrary shellcode. Attackers can potentially gain SYSTEM privileges, inject persistent backdoors into OS deployment images, and move laterally within a domain. The issue affects enterprise IT, data centers, and disaster recovery sites utilizing PXE boot. The vulnerability can lead to remote code execution, domain lateral movement, and potential supply chain poisoning. The vulnerability allows remote attackers to execute arbitrary code and affect the system. The issue involves the leakage of credentials through insecure channels when using

unattend.xml

files.

Recommendations For Windows Server 2016, apply update KB5034651. For Windows Server 2019, apply update KB5034650. For Windows Server 2022, apply update KB5034129. Segment WDS into isolated VLANs. Restrict management traffic on ports 5040, 64001, and 64002 using IPsec. Verify the integrity of WIM images. Monitor Event Logs (IDs 513 and 769) for anomalous PXE requests.