01 · The Real Story
This is less a front-door smash and more a ring of spare keys for an intruder already inside
Tenable plugin 283466 is not one bug; it is a missing cumulative update for Windows 10 Version 1607 and Windows Server 2016. Systems below OS build 10.0.14393.8783 are missing KB5073722 and remain exposed to a bundle of issues, including a KEV-listed local DWM information disclosure (CVE-2026-20805), a remote RRAS RCE (CVE-2026-20868), multiple EoP bugs, and two older modem-driver issues that are useful for BYOVD-style privilege escalation.
The scary part is the bundle, not the vendor labels in isolation. Tenable's plugin is High, and that is closer to reality than a blanket Critical call: the most important in-the-wild issue in this set requires local authenticated access, while the most severe network bug requires RRAS exposure plus user interaction. That is dangerous across a large Windows fleet, but it is not the same as a wormable internet-entry bug on every Server 2016 host.
"Treat this as a high-priority Windows rollup: real risk is post-compromise elevation, not clean unauthenticated internet RCE."
02 · The Attack Path
4 steps from start to impact.
STEP 01
Land on a vulnerable host
The practical chain starts after initial access: phishing, stolen VPN credentials, malicious RMM, or a low-privileged foothold on a Windows 10 1607 or Server 2016 endpoint. For this rollup, the highest-confidence abuse path is not 'hit port 443 and win'; it is 'already on the box, then go up'.
Conditions required:
- Attacker has code execution or an authenticated low-privilege session on a target host
- Target is Windows 10 1607 or Windows Server 2016 below build 10.0.14393.8783
Where this breaks in practice:
- Email security, MFA, web filtering, and EDR should block many initial-access routes
- A lot of Server 2016 estate is internal-only, which means the attacker usually needs a prior foothold
Detection/coverage: Nessus detects the missing KB reliably by version/build; it does not prove exploitability of every included CVE on that host.
STEP 02
Use the KEV-listed DWM leak as an exploit helper
With
CVE-2026-20805, an authenticated local attacker can leak sensitive address information from Desktop Window Manager. On its own this is not full compromise, but it is exactly the kind of primitive operators use to weaken exploit mitigations such as KASLR before a follow-on privilege-escalation step.Conditions required:
- Local authenticated access
- Unpatched DWM on an affected build
Where this breaks in practice:
- This is not a standalone RCE; it needs chaining to create real operational impact
- Servers running minimal GUI usage reduce the practical value compared with workstation abuse, though Server 2016 is still affected
Detection/coverage: Detection is weak if you only look for the CVE directly; better coverage comes from EDR telemetry around unusual handle queries, ALPC abuse, and exploit-chain behavior.
STEP 03
Escalate to SYSTEM with a local kernel or driver primitive
The same plugin also covers local escalation routes, including public BYOVD-friendly driver bugs such as
CVE-2023-31096 and CVE-2024-55414, plus other January 2026 EoP fixes. In practice, attackers use these to move from user to SYSTEM, disable defenses, dump creds, or stage ransomware.Conditions required:
- Attacker can execute code locally
- Affected vulnerable driver or unpatched local EoP path is reachable
- Defender protections do not block the vulnerable driver or kernel exploit chain
Where this breaks in practice:
- Microsoft vulnerable-driver blocklists, WDAC, HVCI, and modern EDR reduce success
- Some of the driver paths depend on the presence of specific legacy components
Detection/coverage: Good EDRs often catch the behavior better than scanners do: look for signed-but-known-bad drivers, service installs, kernel callbacks, and security-tool tampering.
STEP 04
Alternate remote path: RRAS edge box abuse
CVE-2026-20868 is the reason this rollup cannot be treated as medium backlog. It is a network RCE in Windows RRAS, but the CNA vector includes UI:R, which means the path is materially narrower than a zero-click service bug and mostly matters on the minority of Server 2016 hosts actually running RRAS/VPN roles.Conditions required:
- RRAS is enabled on the target
- Attacker can reach the service over the network
- The required user interaction condition is satisfiable
Where this breaks in practice:
- Most enterprises do not expose large numbers of RRAS servers to the internet anymore
- User interaction substantially lowers mass exploitation potential
- NGFW policy, segmentation, and service hardening often remove reachability
Detection/coverage: Scanner coverage is version-based. Validate RRAS role presence separately via Windows features/services and prioritize internet-facing gateways first.
03 · Intelligence Metadata
The supporting signals.
| Tenable baseline | Plugin 283466 is rated High by Tenable, with VPR 8.9; the plugin itself says the host is affected by multiple vulnerabilities because KB5073722 is missing. |
|---|---|
| In-the-wild status | At least one included flaw, CVE-2026-20805, is actively exploited and was added to CISA KEV on 2026-01-13. |
| KEV deadline | NVD records the CISA due date as 2026-02-03 for CVE-2026-20805, which is strong signal that this rollup contains live attacker value. |
| Most important real-world bug | CVE-2026-20805 is a local DWM information disclosure: CVSS 5.5, vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. Translation: useful in exploit chains, not an unauthenticated entry bug. |
| Scariest technical bug | CVE-2026-20868 is an RRAS network RCE with CVSS 8.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The UI:R requirement is the big severity brake. |
| Proof-of-concept availability | Tenable marks the rollup Exploit Available: true. Public PoC chatter exists for CVE-2026-20805 and public exploit material exists for included driver bugs such as CVE-2024-55414. |
| EPSS | For CVE-2026-20805, public snapshots show roughly 5%–7% EPSS, around the 88th percentile. That is high for a nominally medium CVSS local disclosure and lines up with KEV status. |
| Affected versions | Windows 10 1607 and Windows Server 2016 are affected when below 10.0.14393.8783. |
| Fixed version | KB5073722 raises these platforms to OS build 14393.8783. Because this is a cumulative update, any later LCU also remediates it; Microsoft later published KB5087537 at 14393.9140. |
| Exposure reality | Internet-scale risk is not uniform across all affected hosts. The remote path matters mainly for the subset running RRAS and reachable from untrusted networks; the broader enterprise risk is post-compromise privilege escalation across a big installed base. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to HIGH (8.2/10)
The decisive factor is that the best-attested attacker activity in this rollup is KEV-listed but local/authenticated, which makes it a powerful post-compromise escalator rather than a universal edge-service fire. I kept this at HIGH because Server 2016 and Windows 10 1607 are still common in legacy fleets, and the rollup bundles multiple chainable privilege-escalation primitives plus an RRAS RCE for the smaller exposed subset.
HIGH Affected build range and fixed build mapping for Windows 10 1607 / Server 2016
HIGH Presence of active exploitation via `CVE-2026-20805` in KEV
MEDIUM Operational prevalence of externally reachable RRAS in the average enterprise
Why this verdict
- Start from Tenable High: the plugin already lands at High, not Critical, and that baseline is sensible for a monthly Windows rollup on a widely deployed legacy platform.
- Downward adjustment: the live KEV bug is post-initial-access.
CVE-2026-20805needs local low privileges. That implies the attacker already beat your email gateway, VPN, RMM hygiene, or endpoint controls before this CVE matters. - Downward adjustment: the network RCE is narrower than it looks.
CVE-2026-20868is RRAS-specific and carriesUI:R. Real fleets have far fewer exposed RRAS servers than total Server 2016 hosts, and user interaction cuts wormability sharply. - Upward adjustment: chain value is real. Public exploit material for included driver bugs and a KEV-listed DWM primitive make this rollup useful for turning a basic foothold into SYSTEM.
- Upward adjustment: blast radius across a 10k-host fleet is large. Even if each single CVE has friction, legacy Windows estate tends to be broad, privileged, and operationally sticky.
Why not higher?
I am not calling this CRITICAL because the cleanest evidence of exploitation in this package is not an unauthenticated remote code execution path. The remote RRAS issue is serious, but the combination of specific role exposure and user interaction keeps it out of the same class as an internet-wide zero-click service bug.
Why not lower?
I am not dropping this to MEDIUM because active exploitation is already on record via KEV, and the update contains multiple privilege-escalation routes that materially improve attacker outcomes after foothold. In a large enterprise, post-compromise privilege escalation on a common Windows platform is still an operations problem, not mere backlog hygiene.
05 · Compensating Control
What to do — in priority order.
- Prioritize exposed RRAS servers first — Identify Server 2016 hosts running the RRAS role and any system reachable from untrusted networks, then isolate, restrict, or patch them immediately, within hours because this rollup contains active exploitation evidence and a remote RRAS path.
- Block known vulnerable drivers — Enforce the Microsoft vulnerable driver blocklist, WDAC, and HVCI/Memory Integrity where supported to blunt BYOVD-style abuse from included driver issues; deploy or verify these controls immediately, within hours on high-value admin and server tiers.
- Constrain low-privilege execution — Reduce local attacker maneuver room with application control, restricted admin rights, and tighter interactive logon policy, especially on jump hosts and terminal servers; apply these guardrails immediately, within hours while patch rollout catches up.
- Hunt for exploit-chain behavior — Tune EDR detections for
dwm.exeabuse, unusual ALPC/handle enumeration, signed vulnerable driver loads, service creation, LSASS access, and security-tool tampering; activate those detections immediately, within hours because prevention is imperfect. - Remove unused RRAS roles — If RRAS/VPN routing is not business-critical, disable the role or block inbound reachability to shrink the only meaningful remote path in this bundle; complete this reduction immediately, within hours on internet-facing systems.
What doesn't work
- A WAF does not help against the most realistic path here; the KEV bug is local and the driver issues are kernel/endpoint problems.
- Relying on CVSS alone overstates the RRAS path and understates the KEV local chain; this is exactly the kind of rollup where raw label triage misfires.
- Plain AV signatures are not enough against signed vulnerable-driver abuse; if the driver is allowed to load, the attacker may already be where they need to be.
06 · Verification
Crowdsourced verification payload.
Run this on the target Windows 10 1607 / Server 2016 host from an elevated or standard PowerShell session; admin is not required for the registry reads it uses. Invoke it as powershell -ExecutionPolicy Bypass -File .\check-kb5073722.ps1. It outputs VULNERABLE, PATCHED, or UNKNOWN and uses exit codes 1, 0, and 2 respectively.
# check-kb5073722.ps1
# Verifies whether a host is patched for KB5073722 or any later cumulative update
# targeting Windows 10 Version 1607 / Windows Server 2016 (build 14393.8783+)
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN
$ErrorActionPreference = 'Stop'
function Exit-WithResult {
param(
[string]$Status,
[string]$Message,
[int]$Code
)
Write-Output "$Status - $Message"
exit $Code
}
try {
$cvKey = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
$cv = Get-ItemProperty -Path $cvKey
$productName = [string]$cv.ProductName
$currentBuild = [int]$cv.CurrentBuildNumber
$ubr = if ($null -ne $cv.UBR) { [int]$cv.UBR } else { $null }
if ($currentBuild -ne 14393) {
Exit-WithResult -Status 'UNKNOWN' -Message "Host build is $currentBuild ($productName); plugin 283466 applies to build 14393 platforms only." -Code 2
}
if ($null -eq $ubr) {
Exit-WithResult -Status 'UNKNOWN' -Message "Unable to read UBR for build 14393 ($productName)." -Code 2
}
$fullVersion = "10.0.$currentBuild.$ubr"
# KB5073722 brings Windows 10 1607 / Server 2016 to 10.0.14393.8783.
# Any later cumulative update on the same branch is also sufficient.
if ($ubr -ge 8783) {
Exit-WithResult -Status 'PATCHED' -Message "$productName is at $fullVersion (>= 10.0.14393.8783). KB5073722 or a later cumulative update is installed." -Code 0
}
else {
Exit-WithResult -Status 'VULNERABLE' -Message "$productName is at $fullVersion (< 10.0.14393.8783). KB5073722 or later cumulative update is missing." -Code 1
}
}
catch {
Exit-WithResult -Status 'UNKNOWN' -Message $_.Exception.Message -Code 2
}
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning: treat this as a HIGH Windows rollup, but front-load the RRAS-enabled and internet-reachable Server 2016 boxes, plus admin workstations and terminal servers where post-compromise privilege escalation hurts most. Because the bundle contains active exploitation evidence through
CVE-2026-20805, override normal timing and patch / mitigate immediately, within hours for those priority groups; for the rest of the affected 1607/2016 estate, drive a structured campaign to complete the patch under the noisgate mitigation SLA immediate override and finish full cumulative-update remediation under the noisgate remediation SLA of ≤ 180 days.Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.