On June 9, 2026, as part of its monthly Patch Tuesday release, Microsoft tackled a high-severity elevation-of-privilege vulnerability in Microsoft Office. The flaw, cataloged as CVE-2026-47293, specifically affects the Click-to-Run (C2R) servicing component and carries a CVSS score of 7.8. Successful exploitation could allow a local attacker to hijack system-level privileges, potentially compromising an entire Windows workstation or server. This vulnerability underscores the persistent security challenges that accompany complex update mechanisms and the importance of timely patching.

What is Office Click-to-Run?

Click-to-Run is a Microsoft streaming and virtualization technology designed to reduce the time required to install Office and to keep it updated with minimal user interaction. Unlike traditional Windows Installer (MSI) packages, C2R uses application virtualization to run Office in a sandboxed environment that isolates it from other applications. The technology downloads only the necessary files for a requested feature, enabling faster starts and seamless updates. A background service, touching multiple Office versions, manages these updates by checking Microsoft servers periodically, downloading new builds, and merging them into the local installation—all without user prompts.

Because this service must modify system files and registry settings, it runs with elevated privileges: specifically, as NT AUTHORITY\SYSTEM. This high privilege level is essential for installation operations but creates a tempting target for attackers. If the service can be tricked into executing malicious code, the attacker inherits those SYSTEM rights—sidestepping all user account control barriers.

Technical Breakdown of CVE-2026-47293

Microsoft’s advisory reveals that CVE-2026-47293 arises from a use-after-free bug within the Click-to-Run service. A use-after-free condition occurs when a program continues to reference a memory location after it has been freed, leading to unpredictable behavior. In the hands of a skilled attacker, dangling pointers can be exploited to redirect execution flow to attacker-controlled data, ultimately yielding arbitrary code execution.

In this specific case, the vulnerability resides in how the C2R service processes certain update-related messages or API calls. By sending specially crafted input—perhaps a malformed status query or a streaming request—an attacker can cause the service to release a critical memory object and later reference it in a safety-critical operation. Through heap grooming and other memory manipulation techniques, the attacker can place shellcode at that referenced location, which the high-integrity process then executes.

The attack vector is local, meaning the adversary must already have the ability to run code on the target machine. However, the required privileges are low: a standard user account suffices. No further user interaction is needed once the exploit is triggered, and the exploit’s complexity is rated as low. This makes the vulnerability especially dangerous as a second-stage payload in broader attack chains.

Who Is Affected?

According to Microsoft’s disclosure, the primary target is Microsoft Office 2019 when installed via Click-to-Run. This includes retail editions (Home & Student, Home & Business, Professional) and volume-licensed versions that opted for the C2R packaging. Office 2019 MSI deployments are not affected because they do not use the Click-to-Run service. At the time of the advisory, no explicit mention was made of Office 2021 LTSC or Microsoft 365 Apps, but security researchers caution that code overlap between the C2R pipelines could mean later versions share similar flaws. Users of any Click-to-Run-based Office should verify they are running the latest build.

Windows Server configurations are also in scope if they run Office 2019 C2R, although server roles typically favor MSI installations. Virtual desktop infrastructure (VDI) environments where Office is streamed via Click-to-Run are equally exposed, amplifying the risk in enterprise settings where a single compromised image could grant SYSTEM across dozens of session hosts.

Severity and Exploitability

Microsoft rated CVE-2026-47293 as “Important” with a CVSS base score of 7.8. The full vector string is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, meaning:

  • Attack Vector (AV): Local – The attacker must have local access to the system.
  • Attack Complexity (AC): Low – No special conditions needed.
  • Privileges Required (PR): Low – Only a standard user account.
  • User Interaction (UI): None – The user is not required to click or accept any prompts.
  • Scope (S): Unchanged – The vulnerability does not affect resources beyond the component’s security context.
  • Confidentiality (C), Integrity (I), Availability (A): High – Complete compromise of system data, system modifications, and denial of service.

The high impact across all three CIA triad elements reflects how privilege escalation to SYSTEM effectively hands over the entire machine. While the “Important” label might seem modest, the 7.8 score places it near the top of the severity scale for local issues. In practice, it means an attacker with a mere foothold—acquired through a phishing email or a weaponized document—can elevate to full SYSTEM control within seconds.

Patch Deployment and Verification

The fix is delivered through the standard Office Click-to-Run update channel. For most consumers and small businesses, the update is automatic. The C2R service periodically checks for new builds and downloads them in the background; the next time an Office application is restarted, the updated version loads. The June 2026 Patch Tuesday build number was not explicitly published in the CVE entry, but any Office 2019 installation with a build date on or after June 9, 2026, includes the fix.

To manually verify and force an update:

  1. Open any Office application, such as Word or Excel.
  2. Click File > Account (or Office Account in Outlook).
  3. Under Product Information, note the version and build number.
  4. Click Update Options > Update Now.
  5. After the update completes, the version should reflect the current month.

Enterprise administrators managing Office through Microsoft Configuration Manager, Intune, or the Office Deployment Tool must ensure their update policies allow immediate installation. The Office Deployment Tool can synchronize the latest build to a local file share using the /download command with an appropriate configuration XML. Group Policy objects that control Office update channels should be set to “Current Channel” or “Monthly Enterprise Channel,” which receive security fixes promptly.

Mitigation Strategies

Beyond applying the patch, defense-in-depth measures can reduce the risk of similar vulnerabilities:

  • Restrict local administrator rights: Standard user accounts with minimal privileges limit the initial execution abilities an attacker has. Enforce Just-in-Time (JIT) access for administrative tasks.
  • Application whitelisting: Use Windows Defender Application Control (WDAC) or AppLocker to prevent unknown executables from running. Even if an attacker gains code execution via another vector, the exploit payload for CVE-2026-47293 could be blocked if it is not a trusted application.
  • Enable endpoint detection and response (EDR): Solutions like Microsoft Defender for Endpoint can identify privilege escalation attempts by monitoring for suspicious process behavior—such as a low-privilege process spawning a SYSTEM process through unusual means.
  • Harden the Click-to-Run service: Verify that the Service Control Manager permissions for “Microsoft Office Click-to-Run Service” restrict start/stop/and interact rights to SYSTEM and TrustedInstaller. Use sc sdshow to inspect the service descriptor.
  • Network segmentation: In VDI and server environments, limit the ability of compromised endpoints to reach critical servers, even with SYSTEM tokens.

For temporary containment while testing patches, administrators can consider disabling the Click-to-Run service, though this will halt all Office updates and possibly disrupt Office functionality. A safer alternative is to use Windows Firewall rules to block outbound connections from the service to Microsoft update servers until the patch is verified—but this must be carefully coordinated to avoid breaking licensing activation.

Broader Implications

CVE-2026-47293 is not an isolated incident. Over the years, Microsoft has addressed several elevation-of-privilege bugs in its Office update mechanisms. In 2021, CVE-2021-27059 similarly abused the Office AutoUpdate service on macOS, also leveraging improper memory management. These recurring flaws highlight a fundamental tension: installers and updaters require high privileges to function, yet their complex codebases offer a broad attack surface. As Microsoft transitions all Office products to the Click-to-Run model, the potential blast radius of such vulnerabilities expands.

The June 2026 Patch Tuesday also included fixes for other critical vulnerabilities, but CVE-2026-47293 stands out for its potential to transform a minor compromise into a full system takeover. Security researchers have long warned that privilege escalation exploits are a prized component of advanced persistent threat (APT) toolkits and ransomware operations. A bug that silently grants SYSTEM from a standard user account can be weaponized quickly and integrated into malware loaders.

Conclusion

CVE-2026-47293 is a stark example of why keeping software updated is non-negotiable. The use-after-free bug in Office Click-to-Run could be a perfect vector for attackers aiming to move laterally within networks or to disable security tools before deploying ransomware. Microsoft’s rapid fix—and the automated update mechanism—makes it easy for the average user to stay secure with minimal effort. Enterprise administrators must ensure that centralized update management tools are delivering the patch without delay.

Ultimately, the most effective defense is a culture of prompt updates and proactive hardening. Verify your Office build today, audit your privilege management practices, and treat every local vulnerability as a potential gateway to system-wide compromise.