#VU121231 Improper access control in Microsoft products - CVE-2026-20929
Published: January 13, 2026
Vulnerability identifier: #VU121231
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-20929
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Windows
Windows Server
Microsoft Internet Information Services (IIS)
Windows
Windows Server
Microsoft Internet Information Services (IIS)
Software vendor:
Microsoft
Microsoft
Description
The vulnerability allows a remote user to compromise the affected system.
The vulnerability exists due to improper access restrictions Windows HTTP.sys. A remote user can send specially crafted packets to the system and execute arbitrary code with SYSTEM privileges.
Note, successful exploitation of the vulnerability requires an Service Principal Name (SPN) that is registered to an account that no longer exists or is not in use.
The vulnerability exists due to improper access restrictions Windows HTTP.sys. A remote user can send specially crafted packets to the system and execute arbitrary code with SYSTEM privileges.
Note, successful exploitation of the vulnerability requires an Service Principal Name (SPN) that is registered to an account that no longer exists or is not in use.
Remediation
Install updates from vendor's website.