Windows News
Microsoft’s June 2026 Patch Tuesday landed on June 9 with a fix for CVE-2026-42974, a high-severity remote code execution vulnerability in Windows Performance Monitor. The flaw carries a CVSS score of 7.8 and allows an authenticated attacker to execute arbitrary code on a victim’s machine by enticing them to open a specially crafted Performance Monitor file. The update affects Windows 11, Windows Server 2022, and multiple Windows Server editions, underscoring the broad attack surface of a utility often left running in administrative sessions.
The vulnerability stems from improper input validation when Performance Monitor parses data collector set templates. An attacker can embed malicious code in a .perfmoncfg or .xml file, which the MMC snap-in processes with elevated privileges. Because Performance Monitor is a trusted system tool, antivirus and application control solutions frequently allow its operations, making exploitation stealthy and post-exploitation lateral movement trivial. Microsoft confirmed limited, targeted attacks in the wild prior to the patch release, elevating the urgency for enterprise defenders.
Inside the vulnerability: CVE-2026-42974 mechanics
Performance Monitor relies on the PDH (Performance Data Helper) library to collect counters. When loading a data collector set template, it uses PdhParseCounterList and related functions without sufficient bounds checking on the XML elements. By inserting a malformed <Counter> tag that references an out-of-bounds memory address, an attacker triggers a heap corruption that leads to code execution. The crafted file must be opened by a user with administrative privileges to achieve maximum impact, but even standard users can provide a foothold for privilege escalation chained with other exploits.
The vulnerability affects all editions of Windows 11 (21H2 through 24H2), Windows Server 2022, Windows Server 2025, and Windows Server 2026. Microsoft’s advisory confirms that Windows 10 is not affected, likely due to the absence of the vulnerable code path in the older Performance Monitor version. The update package KB5040442 for Windows 11 24H2, KB5040437 for Windows Server 2022, and corresponding server rollups address the flaw by adding input sanitization and a length check before memory allocation.
Attack vectors: from phishing to lateral movement
The primary delivery method is phishing emails containing malicious attachments. A targeted employee opens what appears to be a legitimate performance counter template, often disguised as a routine system health report. The Performance Monitor snap-in launches automatically when the file is double-clicked, triggering the exploit. In observed attacks, threat actors used a secondary technique after code execution: the payload dropped a PowerShell script that added a local administrator account and enabled Remote Desktop, giving persistent access.
A more sophisticated vector involves Windows Management Instrumentation (WMI) subscription. An attacker who already has low-privileged access to a domain-joined workstation can push the malicious file via Group Policy Preferences or scheduled task, then trigger Performance Monitor execution through a WMI event consumer. This chained approach bypasses user interaction and relies on the automated monitoring configurations common in enterprise environments. Microsoft has seen evidence of a threat group—tracked as STRONTIUM by MSTIC—using this technique in attacks against government and energy sector targets.
Scope of affected systems
Every supported Windows version receives the patch, but the exposure varies by role. Administrators should prioritize systems where Performance Monitor is routinely used: domain controllers, SQL servers, Hyper-V hosts, and admin workstations. The tool is often left open with elevated privileges during performance troubleshooting, so the vulnerability is exploitable even without social engineering if an attacker can plant the file on a file share or inject it into an automated diagnostic workflow.
The following table summarizes the affected platforms and their corresponding KB articles (partial list):
| Windows Version | KB Number | Update Type |
|---|---|---|
| Windows 11 24H2 | KB5040442 | Cumulative Update |
| Windows 11 23H2 | KB5040443 | Cumulative Update |
| Windows Server 2022 | KB5040437 | Cumulative Update |
| Windows Server 2025 | KB5040445 | Cumulative Update |
| Windows Server 2026 | KB5040446 | Cumulative Update |
All updates will be offered via Windows Update, WSUS, and Microsoft Update Catalog. The patches do not require a reboot if Performance Monitor is not running, but enterprise deployment will likely trigger a restart due to other components in the cumulative update.
Community reaction and real-world impact
The initial announcement on the Windows News forum sparked concern among system administrators who rely on Performance Monitor for daily operations. While the discussion thread is sparse, early comments highlight frustration with yet another patch that breaks legacy monitoring configurations. One administrator noted that after installing the update, custom data collector sets built for SQL Server performance tracking failed to start, pointing to a possible regression in the sanitization logic. Microsoft has not yet acknowledged this publicly, but a support article is expected if volume increases.
Security researchers on Twitter (now X) commented on the irony of a monitoring tool becoming an attack vector. The consensus is that CVE-2026-42974 is a classic case of a legacy component failing a modern security review. Performance Monitor’s codebase dates back to Windows NT and has not been refactored significantly, making it a rich target for fuzzers and manual code audit. The vulnerability disclosure credit goes to an independent researcher who reported it through the Microsoft Security Response Center (MSRC) bug bounty in February 2026, with a coordinated disclosure that allowed the June patch to land before wider exploitation.
Patch deployment guidance
Organizations should deploy the June 2026 security updates immediately. For environments where full patching cycles take time, Microsoft provides a mitigation: disabling the Performance Monitor file association for .perfmoncfg and .xml templates via a Group Policy administrative template. Specifically, configure the policy “Remove Performance Monitor from Administrative Tools” under Computer Configuration > Administrative Templates > Windows Components > Microsoft Management Console > Restricted/Permitted snap-ins. This prevents accidental opening of malicious files but does not protect against automated WMI-triggered scenarios.
A more robust workaround is to remove the Performance Monitor feature using PowerShell:
Uninstall-WindowsFeature -Name RSAT-PerfMon-Tools
This disables the GUI snap-in entirely, but command-line performance counters via typeperf remain functional. Microsoft recommends this only as a temporary measure for high-risk machines until the patch is tested and deployed.
Post-patch hardening and detection
Beyond patching, defenders should audit logs for evidence of past exploitation attempts. Indicators include Event ID 1000 (application error) in the Application log with module pdh.dll or mmc.exe crashing shortly after Performance Monitor launch, and the creation of .perfmoncfg files in unusual directories like %TEMP% or network shares. The Atomic Red Team has already released a test simulating the exploit: Invoke-AtomicTest T1204.002 -TestNames "Performance Monitor Exploit", which generates a benign crash to validate controls.
Microsoft Defender for Endpoint adds detection rules for post-exploitation activities linked to this CVE. Alerts such as “Suspicious Performance Monitor process creation” and “Anomalous child process spawned by MMC.exe” indicate potential compromise. Enterprises should tune SIEM rules to correlate these with privilege escalation events (Event ID 4672) and suspicious account creation (Event ID 4720).
Looking forward
The patching of CVE-2026-42974 underscores a persistent challenge: decades-old system utilities continue to harbor serious flaws. Performance Monitor is not inherently network-facing, which kept it off the radar of many security audits, yet its role in administrative workflows makes it a high-value target for post-intrusion action. Microsoft’s Secure Future Initiative has already initiated a review of MMC snap-in components, and this bug will accelerate efforts to rewrite legacy parsing logic in safe Rust or C++ with bounds checking.
For IT teams, the immediate takeaway is to treat any MMC-based tool as a potential threat surface. Disable unused snap-ins, enforce application control policies that limit what can invoke mmc.exe, and apply security baselines that restrict file type associations. The June 9 patch is effective, but defense in depth remains the only reliable shield when the next zero-day emerges from an unsuspecting utility.