CVE-2026-54999 – Windows TCP/IP Remote Code Execution Vulnerability

CVSS 8.8 IMPORTANT Critical or Zero Day – Immediate Deployment

“An attacker on the same network can turn a timing flaw into full system compromise without needing credentials or user action.”

A race condition in Windows TCP/IP allows an unauthorized attacker on an adjacent network to execute arbitrary code on an affected system. The flaw requires no privileges and no user interaction, which increases the risk in shared, local, wireless, and segmented network environments. Successful exploitation could compromise the confidentiality, integrity, and availability of the targeted device.

CVSS Score: 8.8

SEVERITY: Critical

THREAT:
The vulnerability creates a remote code execution risk for systems reachable from an adjacent network. An attacker does not need authentication or user interaction, but must be positioned on the same local or logically adjacent network as the target. Successful exploitation could allow the attacker to run malicious code, take control of the system, disrupt services, or use the compromised device to attack other systems.

EXPLOITS:
At the time of publication, exploitation was assessed as less likely. The vulnerability was not publicly disclosed and was not known to be actively exploited. No public exploit or proof-of-concept code is confirmed in the available data.

TECHNICAL SUMMARY:
The vulnerability is caused by CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization, commonly known as a race condition. Windows TCP/IP does not properly synchronize access to a shared resource during concurrent processing. An attacker on an adjacent network could trigger the race condition by sending specially crafted network traffic to a vulnerable system.
Because the attack complexity is low, the attacker does not need to overcome difficult technical conditions beyond gaining adjacent network access. Successful exploitation could result in arbitrary code execution with significant impact to confidentiality, integrity, and availability. The vulnerability requires no privileges and no action from the user.

EXPLOITABILITY:
Affected software includes Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 24H2, 25H2, and 26H1; and Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025, including applicable Server Core installations.
An attacker must have access to an adjacent network and send specially crafted traffic to the vulnerable system. No credentials or user interaction are required.

BUSINESS IMPACT:
Successful exploitation could give an attacker control of a vulnerable endpoint or server, leading to malware installation, data theft, system outages, security control bypass, or lateral movement. Devices on shared office networks, wireless networks, hosting environments, and poorly segmented internal networks may face greater exposure.
Because the vulnerability affects the Windows networking stack, exploitation could impact critical servers and workstations without requiring users to open a file or click a link. A compromised system could become an entry point for a broader attack across the organization.

WORKAROUND:
No mitigations or workarounds are available. Apply the applicable Microsoft security update. Network segmentation and restricting untrusted access to local network segments may help reduce exposure until patching is complete.

URGENCY:
This vulnerability is rated Critical and allows remote code execution without authentication or user interaction. Although exploitation is currently assessed as less likely and no active exploitation is confirmed, the low attack complexity and broad range of affected Windows systems make timely patching important. Prioritize systems connected to shared, wireless, exposed, or insufficiently segmented networks.

Key Details

Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
CWE Classification
CWE-362
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.