← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-0386 · CWE-284 · Disclosed 2026-01-13

Improper access control in Windows Deployment Services

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a spare key left under the mat of your deployment network, not a citywide master key

CVE-2026-0386 is a Windows Deployment Services flaw tied to *hands-free deployment* using Unattend.xml. Microsoft says the risk appears when that answer file is sent over an unauthenticated RPC channel, allowing an attacker on an *adjacent network* to intercept sensitive deployment data and potentially turn that into credential theft or code execution. Affected ranges span WDS-capable Windows Server releases before the January 13, 2026 fixes, including Windows Server 2008 SP2/2008 R2 SP1 under Premium Assurance, 2012/2012 R2 under ESU, 2016 <10.0.14393.8783, 2019 <10.0.17763.8276, 2022 <10.0.20348.4648, Server 23H2 <10.0.25398.2092, and 2025 <10.0.26100.32230.

Microsoft's HIGH 7.5 rating is technically defensible in a lab, but it overstates day-two enterprise risk. The attack requires *adjacent-network position*, *native WDS usage*, and specifically *hands-free deployment* exposure; Microsoft also states Configuration Manager is not affected because it doesn't use this Unattend.xml mechanism. That combination slashes reachable population, so this lands as a MEDIUM unless your org still runs native WDS on shared or poorly segmented build networks.

"Dangerous on the imaging VLAN, but too narrow and post-positioned to keep a HIGH rating"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Get onto the deployment segment

The attacker first needs layer-2 or otherwise adjacent access to the PXE/WDS path, not just generic internet reachability. In practice that means a compromised workstation on the build VLAN, rogue device access in a staging area, or prior foothold on an internal segment that can see WDS traffic. Tooling is mundane: tcpdump, Wireshark, or Responder are enough to validate the network position.
Conditions required:
  • Access to the same deployment VLAN or another network path considered adjacent by the WDS service flow
  • WDS is reachable from that segment
  • A target is actively using or can be induced to use WDS
Where this breaks in practice:
  • This is not unauthenticated internet RCE
  • Many enterprises isolate imaging networks from user and server LANs
  • Modern NAC and switchport controls often block the rogue-device starting point
Detection/coverage: External scanners usually miss this prerequisite entirely. Exposure management tools may know a server is missing the KB, but they usually cannot confirm adjacent-network reachability into the PXE/WDS path.
STEP 02

Catch or trigger insecure Unattend.xml retrieval

Microsoft's hardening notice says the vulnerable condition is Unattend.xml transmitted over an unauthenticated RPC channel during WDS hands-free deployment. An attacker can passively observe the workflow or emulate a client well enough to request the file over the insecure path; a custom RPC client, Windows PE emulation, or adapted Impacket-style tooling would be the obvious weaponized route. This is the step most likely to separate theory from reliable exploitation.
Conditions required:
  • Native WDS hands-free deployment is in use
  • AllowHandsFreeFunctionality is absent on pre-April behavior or explicitly set to 1
  • The WDS server is still operating in insecure mode
Where this breaks in practice:
  • Microsoft says Configuration Manager is not affected
  • Many WDS deployments are boot-only and don't expose hands-free answer files
  • April 14, 2026 updates moved the default to secure-by-default, so admins had to deliberately keep the insecure path alive
Detection/coverage: This is where detection is best: Microsoft added warnings in Microsoft-Windows-Deployment-Services-Diagnostics/Debug for insecure requests and insecure configuration. Most vuln scanners still only do build-level checks and won't verify the registry mode.
STEP 03

Harvest deployment secrets

If the attacker gets the answer file, the practical win is usually credential material and deployment metadata, not instant shellcode in memory. Unattend.xml frequently carries local admin passwords, domain join context, or deployment automation settings that can be parsed with trivial XML tooling. Tools are boring here: PowerShell XML parsing, xmllint, or simple grep-style extraction work.
Conditions required:
  • The answer file actually contains useful secrets or trusted automation context
  • Those credentials remain valid and sufficiently privileged
Where this breaks in practice:
  • Some enterprises already removed embedded secrets from answer files
  • Least-privilege join accounts reduce blast radius
  • Rotated or one-time deployment credentials can collapse attacker value fast
Detection/coverage: DLP and SMB/RPC telemetry rarely understand the security importance of Unattend.xml. Detection is strongest after the fact via anomalous account use, not at the file-theft moment.
STEP 04

Turn stolen trust into execution

The final impact is using those secrets or deployment trust to run code on the WDS server, poison images, or laterally move into freshly imaged hosts. Real attacker tooling here is standard post-compromise tradecraft such as psexec.py, wmiexec.py, or direct image/task manipulation through administrative access. This is why the CVE can end in full compromise, but only after a chain of environment-specific prerequisites.
Conditions required:
  • Recovered credentials map to administrative or image-management privileges
  • The attacker can reach the target systems over normal admin channels
Where this breaks in practice:
  • EDR, PAM, admin tiering, and image-signing processes frequently break this step
  • The vuln does not hand an attacker universal RCE in one packet
  • Blast radius is often limited to the WDS island unless the deployment account is overprivileged
Detection/coverage: Post-exploitation detection is mature. EDR, Windows admin logons, remote service creation, WMI, and unusual image-share access should all light up if the attacker pushes past the retrieval stage.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo confirmed public exploitation in the sources reviewed. The CVE record surfaced through CISA ADP with Exploitation: none and Automatable: no, and it is not in CISA KEV.
KEV statusNot KEV-listed as of the CISA Known Exploited Vulnerabilities Catalog reviewed for this assessment.
Proof-of-concept availabilityNo mainstream public PoC found in the reviewed results. That lowers opportunistic attacker pressure, though the primitives are straightforward for an internal operator with RPC/PXE knowledge.
EPSSNot directly verified here. FIRST publishes daily EPSS by API/CSV, but a CVE-specific score for CVE-2026-0386 was not retrievable from the browsed source snippets used in this assessment.
CVSS vector reality checkCVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H already admits two big brakes: adjacent network and high attack complexity. That is materially less dangerous than internet-reachable unauthenticated RCE.
Affected scopeApplies to native WDS scenarios using Unattend.xml hands-free deployment. Microsoft explicitly says Configuration Manager is not impacted because it uses WDS only for boot.wim and NBP files, not the vulnerable answer-file mechanism.
Fixed versionsBuild thresholds from the CVE record/NVD include Windows Server 2016 10.0.14393.8783, 2019 10.0.17763.8276, 2022 10.0.20348.4648, Server 23H2 10.0.25398.2092, 2025 10.0.26100.32230; Rapid7 maps January fixes to KB5073698, KB5073696, KB5073722, KB5073723, KB5073457, KB5073450, and KB5073379.
Operational hardening timelineMicrosoft introduced Phase 1 on 2026-01-13 with eventing and a registry control, then switched to secure-by-default on 2026-04-14. After that, hands-free WDS deployments are disabled by default unless admins explicitly override the setting.
Exposure populationThis is usually low internet exposure and often zero external exposure because WDS relies on PXE/TFTP/RPC/SMB deployment flows on ports like UDP 67/69/4011 and TCP 135/5040, which are normally confined to build networks. The real risk sits on internal deployment VLANs, not the public edge.
Disclosure and sourcePublicly disclosed by Microsoft on 2026-01-13 as Windows Deployment Services Remote Code Execution Vulnerability. No public researcher attribution was visible in the reviewed sources.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.8/10)

The decisive downgrade factor is attacker position: this requires adjacent-network access to a niche deployment workflow, which means the attacker is already on or very near a sensitive internal segment. That sharply narrows exposed population compared with a normal remote Windows RCE, even though the downstream impact can be severe inside the affected WDS enclave.

HIGH Affected workflow narrowing: native WDS hands-free only, not ConfigMgr
HIGH Attacker-position assessment: adjacent network required
MEDIUM End-to-end exploit chain from answer-file theft to reliable code execution

Why this verdict

  • Down from vendor HIGH: AV:A plus AC:H means this already starts from a constrained, same-segment style position rather than broad remote reachability.
  • Reachable population is small: Microsoft says the issue affects native WDS hands-free deployments and explicitly does not affect Configuration Manager's common PXE use case.
  • Post-initial-access dynamics matter: requiring adjacent internal network presence implies the attacker has already crossed an earlier control boundary such as NAC, switchport control, or a prior host compromise.
  • April hardening reduces exposure further: since April 14, 2026, secure-by-default behavior means defenders had to consciously keep insecure hands-free mode enabled for the vulnerable path to persist.
  • Blast radius can still be ugly where it exists: if the answer file contains privileged deployment credentials, compromise of the build network can spill into server or workstation provisioning trust.

Why not higher?

This is not a one-shot internet RCE. The attacker needs adjacent-network position, a live WDS deployment path, native WDS hands-free usage, and an insecure configuration state that many enterprises either never used or stopped using after Microsoft's April 14, 2026 default hardening. Those compound prerequisites are exactly the kind of friction that should drag severity down.

Why not lower?

The impact is still real where WDS is used badly. A compromised build VLAN plus exposed Unattend.xml can leak secrets that matter, and deployment infrastructure has outsized trust over many endpoints. This is too much blast-radius potential to treat as backlog lint or ignore.

05 · Compensating Control

What to do — in priority order.

  1. Force secure mode — Set HKLM\SYSTEM\CurrentControlSet\Services\WdsServer\Providers\WdsImgSrv\Unattend\AllowHandsFreeFunctionality=0 on affected native WDS servers to block unauthenticated answer-file access. For a MEDIUM verdict there is no mitigation SLA, but this is the cleanest compensating control and should be applied at the next approved change if you still run native WDS.
  2. Kill insecure exceptions — Hunt for servers where AllowHandsFreeFunctionality=1 keeps insecure hands-free behavior alive. That setting is an explicit risk acceptance; remove it before you forget why it was there.
  3. Segment the imaging network — Constrain PXE/WDS traffic to dedicated deployment VLANs and tightly limit who can reach UDP 67/69/4011 and TCP 135/5040. This reduces the already narrow attack surface even further by making adjacent-network preconditions harder to satisfy.
  4. Watch WDS debug events — Enable and monitor Microsoft-Windows-Deployment-Services-Diagnostics/Debug for insecure requests and insecure-mode warnings introduced by Microsoft's hardening guidance. This gives you direct evidence of whether the dangerous path is still being exercised.
  5. Rotate deployment credentials — If Unattend.xml ever carried local admin or domain-join secrets, rotate them and right-size privileges. This limits the payoff if the file was exposed before you hardened the servers.
What doesn't work
  • A perimeter WAF does not help; this is not an HTTP edge-service problem.
  • Generic internet attack-surface scans do not prove safety; the dangerous path lives on internal PXE/RPC/SMB deployment flows.
  • Patching alone is not enough if you deliberately keep AllowHandsFreeFunctionality=1; that preserves insecure behavior by design.
  • Assuming SCCM/MECM guidance applies everywhere is wrong; the vuln is about native WDS hands-free deployments, while ConfigMgr is explicitly called out as unaffected.
06 · Verification

Crowdsourced verification payload.

Run this on the target Windows Server that hosts WDS, locally or through PowerShell Remoting, as an Administrator. Invoke it with powershell.exe -ExecutionPolicy Bypass -File .\Test-CVE-2026-0386.ps1; it checks whether the WDS role is present, whether the server build is below Microsoft's fixed threshold, and whether the insecure override AllowHandsFreeFunctionality=1 is still enabled.

noisgate-verify.ps1
POWERSHELLREAD-ONLYSAFE
# Test-CVE-2026-0386.ps1

# Checks Windows Deployment Services exposure for CVE-2026-0386.

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'Stop'

function Get-VersionObject {
    param([string]$Version)
    try { return [version]$Version } catch { return $null }
}

function Get-FixedVersion {
    param([string]$ProductName)

    switch -Regex ($ProductName) {
        'Windows Server 2025' { return '10.0.26100.32230' }
        'Windows Server 2022' { return '10.0.20348.4648' }
        'Windows Server 2019' { return '10.0.17763.8276' }
        'Windows Server 2016' { return '10.0.14393.8783' }
        'Windows Server 2012 R2' { return '6.3.9600.22968' }
        'Windows Server 2012' { return '6.2.9200.25868' }
        'Windows Server 2008 R2' { return '6.1.7601.28117' }
        'Windows Server 2008' { return '6.0.6003.23717' }
        default { return $null }
    }
}

try {
    $feature = Get-WindowsFeature -Name WDS -ErrorAction SilentlyContinue
    if (-not $feature -or -not $feature.Installed) {
        Write-Output 'PATCHED: WDS role not installed; host not affected by native WDS hands-free path.'
        exit 0
    }

    $cv = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    $productName = [string]$cv.ProductName
    $currentVersion = '{0}.{1}.{2}.{3}' -f $cv.CurrentMajorVersionNumber, $cv.CurrentMinorVersionNumber, $cv.CurrentBuild, $cv.UBR

    if (-not $cv.CurrentMajorVersionNumber) {
        # Older OSes may not have CurrentMajorVersionNumber; derive from CurrentVersion/CurrentBuild/UBR.

        $base = if ($cv.CurrentVersion) { [string]$cv.CurrentVersion } else { '0.0' }
        $build = if ($cv.CurrentBuild) { [string]$cv.CurrentBuild } else { '0' }
        $ubr = if ($cv.UBR -ne $null) { [string]$cv.UBR } else { '0' }
        $currentVersion = "$base.$build.$ubr"
    }

    $fixedVersion = Get-FixedVersion -ProductName $productName
    $cur = Get-VersionObject $currentVersion
    $fix = Get-VersionObject $fixedVersion

    $regPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\WdsServer\Providers\WdsImgSrv\Unattend'
    $allowValue = $null
    if (Test-Path $regPath) {
        try {
            $allowValue = (Get-ItemProperty -Path $regPath -Name 'AllowHandsFreeFunctionality' -ErrorAction Stop).AllowHandsFreeFunctionality
        } catch {
            $allowValue = $null
        }
    }

    if (-not $fix -or -not $cur) {
        Write-Output "UNKNOWN: Unable to map or parse OS version. Product='$productName' Current='$currentVersion' Fixed='$fixedVersion'."
        exit 2
    }

    if ($cur -lt $fix) {
        Write-Output "VULNERABLE: WDS installed and OS build $currentVersion is below fixed threshold $fixedVersion for $productName."
        exit 1
    }

    if ($allowValue -eq 1) {
        Write-Output "VULNERABLE: WDS installed, patched build present, but AllowHandsFreeFunctionality=1 keeps insecure hands-free deployment enabled."
        exit 1
    }

    if ($allowValue -eq 0) {
        Write-Output "PATCHED: WDS installed, OS build $currentVersion meets or exceeds fixed threshold $fixedVersion, and secure mode is enforced (AllowHandsFreeFunctionality=0)."
        exit 0
    }

    Write-Output "UNKNOWN: WDS installed and OS build is patched, but AllowHandsFreeFunctionality is not set. If April 14, 2026 or later hardening is installed, default behavior is secure; otherwise verify manually in WDS diagnostics logs."
    exit 2
}
catch {
    Write-Output ('UNKNOWN: ' + $_.Exception.Message)
    exit 2
}
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not treat this like an internet-fire RCE; treat it like a deployment-network trust problem. Inventory every native WDS server, separate them from ConfigMgr PXE responders, and immediately identify any host still running with AllowHandsFreeFunctionality=1 so you can remove that exception in the next approved change window; because there is no active exploitation evidence and no KEV listing, there is no noisgate mitigation SLA — go straight to the 365-day remediation window. Under the noisgate remediation SLA, complete patching of affected WDS hosts and eliminate insecure hands-free usage within 365 days; if you find WDS on a shared or weakly segmented build VLAN, compress that internally because the real risk is concentrated and high-value even though the global reachable population is small.

Sources

  1. Microsoft Support KB5074952 - WDS hands-free deployment hardening guidance
  2. NVD entry for CVE-2026-0386
  3. OpenCVE mirror of CVE record including Microsoft CNA data and CISA ADP enrichment
  4. Windows Message Center note on WDS hardening for CVE-2026-0386
  5. Microsoft Learn - Network Ports Used by Windows Deployment Services
  6. Rapid7 vulnerability database entry with KB mappings
  7. CISA Known Exploited Vulnerabilities Catalog
  8. FIRST EPSS overview and data availability
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.