Microsoft’s June 2026 Patch Tuesday delivered a critical fix for CVE-2026-45635, an Important-rated remote code execution (RCE) vulnerability in the Windows Universal Plug and Play (UPnP) Device Host. Disclosed on June 9, 2026, the flaw allows network-adjacent attackers to execute arbitrary code on vulnerable systems by sending specially crafted UPnP packets. With public listings available, the window for exploitation is narrowing fast.

What Is CVE-2026-45635?

CVE-2026-45635 is a security vulnerability in the Windows UPnP Device Host service, which is part of the UPnP network protocol stack. UPnP allows devices on a local network to discover each other and establish functional network services for data sharing, communications, and entertainment without manual configuration. The Windows UPnP Device Host handles discovery and control of UPnP devices from the operating system side.

The vulnerability carries an Important severity rating under Microsoft’s classification system, one step below Critical. That designation typically indicates that exploitation could result in compromise of confidentiality, integrity, or availability, but may require user interaction or specific configurations. In this case, the attack vector is network-adjacent, meaning an attacker must be on the same logical network segment as the target. No user interaction is required—simply sending malicious UPnP traffic to an exposed device could trigger the flaw.

Microsoft has not released extensive technical details, but the disclosure notes public listings. This suggests that either proof-of-concept code or a detailed write-up of the vulnerability is already circulating in security circles. Such early exposure dramatically raises the risk of active exploitation, especially for an entry point as widely available as UPnP.

How UPnP Device Host Works—and Fails

The Windows UPnP Device Host service (upnphost) runs by default on many Windows versions, responding to SSDP (Simple Service Discovery Protocol) and GENA (General Event Notification Architecture) requests. It allows applications to advertise their services and respond to control requests from UPnP control points. Historically, this service has been a target for attackers because it often runs with elevated privileges and listens on all network interfaces.

RCE vulnerabilities in such services typically arise from parsing flaws—when a service processes specially crafted data without proper validation, an attacker can corrupt memory and redirect execution flow. In the context of UPnP, a malformed HTTP-like header or a SOAP-based control message could trigger a buffer overflow, use-after-free, or other memory safety bug. CVE-2026-45635 may follow this pattern, enabling an attacker to execute arbitrary code in the context of the UPnP Device Host service, which often operates with SYSTEM or NETWORK SERVICE privileges.

Because UPnP is designed for seamless device interaction, the protocol is inherently trusting. Discovery messages are broadcast over UDP port 1900, and control endpoints listen on TCP ports allocated by the service. An attacker with network adjacency—such as someone on the same Wi-Fi network, a compromised IoT device, or an internal actor—can easily reach these ports.

Public Disclosure Raises the Stakes

A key detail in Microsoft’s advisory is the mention of “public listings.” That phrase indicates that more than just a CVE number is out there: functional exploit code, a detailed technical analysis, or both may be available. When exploit code is public before a patch, the timeline shifts from “patch soon” to “patch immediately.” Attackers can weaponize the information within hours, and automated scanning tools quickly adapt to seek out vulnerable hosts.

This is not the first time UPnP has been in the spotlight. Over the years, numerous flaws have been discovered in UPnP implementations across operating systems and embedded devices. For instance, CVE-2020-16875 was a Windows UPnP vulnerability disclosed in 2020 that also allowed remote code execution. Similarly, router and IoT UPnP flaws have been used in massive botnet infections. The recurrence of such issues highlights the risk of a protocol that prioritizes convenience over security.

Who Is Affected?

While Microsoft has not provided a definitive list of affected Windows versions in the initial advisory, historical patterns suggest that all currently supported client and server releases are likely affected. This includes Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, and possibly older configurations still receiving security updates via Extended Security Updates (ESU).

The UPnP Device Host service is not always enabled by default in minimal server installations, but it is often active on workstations and systems where media sharing, network discovery, or HomeGroup functionality (legacy) has been turned on. Administrators should verify the state of the upnphost service, especially on critical servers or internet-exposed machines.

Attack Surface and Real-World Risk

An attacker must be on the same network segment to exploit CVE-2026-45635. That may sound limiting, but consider modern network architectures: corporate guest Wi-Fi, compromised VPN endpoints, cloud-hosted Windows instances with public interfaces, and the growing number of IoT devices sharing internal networks. Each of these represents a potential launchpad for lateral movement.

A successful attack could grant the attacker SYSTEM-level privileges on the targeted machine. From there, they could install persistent backdoors, exfiltrate sensitive data, or move laterally into more critical systems. Even if the initial foothold is on a low-value workstation, it often serves as a stepping stone to domain controllers and file servers.

Because UPnP is a broadcast-based protocol, an attacker could also use it to conduct denial-of-service attacks or to spoof devices on the network. The full impact depends on the nature of the vulnerability, but RCE flaws are almost always severe.

Mitigation and Workarounds

The primary mitigation is straightforward: apply the June 2026 Patch Tuesday update as soon as possible. Microsoft’s Security Update Guide provides the specific KB article and download links for each affected platform. Organizations with patch management systems should prioritize this update, especially for systems that cannot be isolated from potentially hostile network segments.

If immediate patching is not possible, consider these workarounds:

  • Disable the UPnP Device Host service: This can be done through the Services management console or via Group Policy. Stopping the service and setting its startup type to “Disabled” eliminates the attack surface entirely. Be aware that this may break any application that relies on UPnP for discovery or control, such as media servers or networked printers that use standard UPnP interfaces.
  • Block UPnP traffic at the firewall: Restrict inbound traffic on UDP port 1900 and TCP ports used by UPnP control services (dynamically allocated but often in the 2869 and 5000 range). On internal networks, consider using network segmentation to limit broadcast domains.
  • Network segmentation: Where possible, isolate Windows systems from unknown or less-trusted devices on the same network segment. For example, place IoT devices on a separate VLAN with strict access controls.

Microsoft may also have released alternative mitigations in the form of microcode updates or registry keys. Check the CVE-2026-45635 advisory for any additional Defense-in-Depth recommendations.

Patch Tuesday June 2026: A Broader View

June 2026’s Patch Tuesday includes fixes for a total of X vulnerabilities across various Microsoft products. (While the exact number is not provided here, Patch Tuesday releases routinely address 50–100+ CVEs.) Among them, CVE-2026-45635 stands out because of its public listing and the nature of the affected component. Other vulnerabilities may carry higher severity ratings, but public availability of exploit information often makes such flaws a top priority regardless of official label.

IT administrators should consult the full release notes for their specific environments. Zero-day exploits are becoming more common, and chaining multiple low-severity bugs can lead to complete compromise. This month’s updates also address issues in Microsoft Office, Edge, Exchange Server, and the Windows kernel. A holistic patching strategy, starting with publicly disclosed and actively exploited vulnerabilities, is essential.

Long-Term Implications for UPnP in Windows

CVE-2026-45635 is not an isolated incident. The UPnP protocol, while useful, has been a source of security headaches for decades. Its complexity, reliance on outdated protocols (HTTP over UDP without encryption), and assumption of a trusted local network make it fundamentally risky. Many security experts have long recommended disabling UPnP wherever possible.

Microsoft’s own security guidance often suggests reducing the attack surface by turning off unnecessary services. The UPnP Device Host is a prime candidate for reduction, especially on servers and locked-down workstations. The fact that this vulnerability required a patch in 2026—years after similar issues were found—suggests that the underlying codebase remains difficult to fully secure.

For consumers, the takeaway is simple: keep Windows Update enabled and install June’s patches. For enterprises, this is another reminder to audit network services and enforce least-privilege networking. The best patch is sometimes a configuration change that removes the code entirely.

What to Do Now

  1. Identify affected systems: Use your asset management tools to find Windows hosts running the UPnP Device Host service. PowerShell command Get-Service upnphost can help.
  2. Apply the patch: Deploy the June 2026 security update to all affected systems through your normal patch management process. Schedule a reboot if necessary.
  3. Verify and monitor: After patching, confirm that the service remains operational if needed, or disable it if not. Monitor network traffic for signs of UPnP-based attacks; unusual SSDP traffic often indicates scanning.
  4. Plan for long-term hardening: Consider removing UPnP from your standard desktop and server builds unless there is a clear business requirement. For cases where UPnP is necessary, isolate those systems from sensitive network segments.

Microsoft’s prompt fix and early disclosure of public listings mean that the race is on. Attackers are already analyzing the patch and reverse-engineering the flaw. Every hour that passes without patching increases the chance that your organization becomes a target.

Stay informed through the Microsoft Security Response Center blog and other trusted security outlets for any updates on exploitation activity related to CVE-2026-45635.