Affected systems
CVE-2026-45648 affects Active Directory Domain Services on Windows Server 2022 and Windows Server 2025, including Server Core installations. A domain-authenticated attacker with access to the NSPI RPC interface can send crafted input to the directory service. The required privileges are low and no user interaction is needed.
Even without known active exploitation, this belongs in the short patch queue. Remote code execution in the directory service affects the identity tier directly, not just another Windows server.
What operators should check now
- Inventory domain controllers: Cover every DC in every site, including RODCs, recovery environments, powered-off VMs, and Server Core installations.
- Prove June update coverage: For Windows Server 2022, verify build 20348.5256 or later. For Windows Server 2025, verify build 26100.32995 or later.
- Complete the reboots: Treat DC patching as unfinished until reboots and replication health are documented.
- Review DC reachability: Limit RPC, SMB, LDAP, and Kerberos paths to required source networks. Pay close attention to DMZ, guest, weak VPN, and non-admin networks.
- Watch for anomalies: Monitor LSASS or directory service crashes, RPC errors, unusual NSPI/address book queries, and new authentication failures after the patch window.
Fast verification
- Per domain controller: operating system, role, site, build number, installed cumulative update, last reboot.
- Per network zone: documented need for DC port access, not inherited broad reachability.
- For delayed DCs: owner, expiry date, accepted risk, and temporary segmentation control.
If only one step is possible immediately: prove build and reboot state for every domain controller, then remove unplanned DC reachability.