Microsoft released its July 14, 2026 security updates fixing CVE-2026-40400, a high-severity remote code execution vulnerability in Windows PowerShell that earned a CVSS 3.1 score of 8.0. The flaw allows an authenticated attacker with low privileges to execute arbitrary code over a network by exploiting a relative path traversal weakness when PowerShell processes a path an attacker can influence. While user interaction is required, the attack complexity is low, and successful exploitation can lead to total compromise of confidentiality, integrity, and availability on the affected system.
The Vulnerability and the Patch
CVE-2026-40400 is classified as Important rather than Critical because exploitation requires the attacker to already have authenticated access to the target and some level of user interaction. It is not an unauthenticated, self-propagating worm. However, the CVSS vector (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) tells a sobering story: the attack is deliverable over a network, technically simple to pull off, and yields full impact within the security context of the compromised PowerShell session.
At the core is a classic CWE-23 relative path traversal, where software fails to properly sanitize path components like ..\. In PowerShell, this can mean that a script, module, configuration artifact, or other object that resolves its file path from an attacker-controllable location might be tricked into loading and executing code from elsewhere. Microsoft has not disclosed the exact exploitation mechanism—whether through a crafted .ps1 file, a module manifest, a shortcut, or something else—so building narrow detection rules around a single file type is risky.
The fix is delivered through the July cumulative updates for Windows, not as a standalone PowerShell package. Updating Windows PowerShell 5.1 (the built-in component) via the servicing stack is what remediates the flaw. PowerShell 7, installed separately from GitHub or the Microsoft Store, is not mentioned as affected. Patch verification is therefore a matter of checking the operating system build number, not a PowerShell version string.
Who’s Affected
The vulnerability touches a broad family of supported Windows releases. On the client side, Microsoft lists Windows 10 versions 1607, 1809, 21H2, and 22H2, along with Windows 11 versions 24H2, 25H2, and 26H1. Server platforms span Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2025, and corresponding Server Core installations. The patched build numbers and associated KB articles (where published) include:
- Windows 10 1607 / Server 2016: build 14393.9339
- Windows 10 1809 / Server 2019: build 17763.9020 (KB5099538)
- Windows 10 21H2: build 19044.7548
- Windows 10 22H2: build 19045.7548
- Windows 11 24H2: build 26100.8875 (KB5101650)
- Windows 11 25H2: build 26200.8870 (KB5101650)
- Windows 11 26H1: build 28000.2525
- Windows Server 2022: build 20348.5386 (KB5099540)
- Windows Server 2025: build 26100.33158
Systems that have reached end of servicing can still be attacked, but they will not receive the July update through normal channels. Extended Security Updates or specialty SKUs like LTSC may have separate deployment paths.
What It Means for You
The practical risk depends on what a particular machine does. A standard office workstation is less likely to encounter malicious paths than a development machine, a build server, or an automation host that regularly fetches scripts from shared network locations.
For IT administrators and security teams, three scenarios warrant immediate attention:
Management servers and Privileged Access Workstations (PAWs). Even though the attacker needs low privileges, the subsequent code runs with the rights of the PowerShell process. An administrator who launches a compromised script with elevated credentials can hand over full control of a domain controller or other sensitive system. The CVSS scope is unchanged—meaning exploitation doesn’t automatically jump boundaries—but a foothold on a PAW or jump server is a direct on-ramp to lateral movement.
Automation and DevOps pipelines. Continuous integration runners, scheduled tasks, and configuration management systems often execute PowerShell scripts from repositories, network shares, or extracted archives. A manipulated path in an ingested artifact could turn a routine code checkout into a code-execution incident.
File servers and shared storage. While the vulnerability is not a server-side attack where an unauthenticated user targets a listening service, any scenario where a user opens or runs a PowerShell-related item from a network location opens the door if the path can be manipulated.
Home users should install the update, but their immediate risk is lower. The required user interaction means a targeted drive-by would likely be paired with social engineering—a booby-trapped script in a zip file, for example.
How We Got Here
Path traversal bugs have plagued software for decades, but their presence in PowerShell hits differently. PowerShell is no longer a niche scripting language; it’s the default management engine for Windows services, Active Directory, Exchange, Azure, and countless third-party products. Code that runs in PowerShell can access files, credentials, and system management interfaces with the full authority of the logged-on account. That makes even a constrained vulnerability like CVE-2026-40400 worth fixing quickly.
The July 2026 Patch Tuesday was unusually massive—BleepingComputer tallied 570 Microsoft vulnerabilities fixed, including 59 rated Critical and 145 remote code execution flaws. CVE-2026-40400 was not among the zero-days reported as actively exploited, but its low attack complexity and high impact place it in the “patch as soon as feasible” tier for enterprise environments. The National Vulnerability Database entry was still undergoing enrichment at publication, so organizations relying on NVD alone for risk scoring might need to consult the Microsoft Security Response Center directly.
What to Do Now
- Identify affected systems. Using your inventory or endpoint management tool, flag any Windows machine running one of the listed pre-patch builds. Include Server Core and management servers even if they rarely host interactive PowerShell sessions.
- Approve and deploy the July 2026 cumulative update. Windows Update, Windows Update for Business, WSUS, Microsoft Configuration Manager, Azure Update Manager—whichever pipeline you use, push the update as you normally would. Pilot testing is still advisable because the rollup contains many other security hardening changes, including work in networking, Secure Boot, NTLM auditing, and Remote Desktop publisher certificates.
- Verify patch installation. After the mandatory restart, check the OS build number against the corrected levels listed above. PowerShell’s
$PSVersionTablewill not show the fix; you must look at the operating system build viawinverorGet-ComputerInfo. - Deploy layered defenses while you wait. Application control policies (WDAC/AppLocker) can block unauthorized scripts and binaries. Turn on PowerShell script-block logging, module logging, and process creation auditing (Event ID 4688) to spot anomalies. Monitor your EDR for PowerShell processes spawning unexpected executables or reaching out to unusual network paths. None of these replace the patch, but they reduce the window of exposure.
Execution policy settings are not a reliable mitigation—they can be bypassed and do not constrain a flaw in path handling.
Outlook
As of July 14, no in-the-wild attacks leveraging CVE-2026-40400 had been detected, and CISA’s analysis indicated the vulnerability is not automatable. That could change once technical details become public. Microsoft typically withholds proof-of-concept code until the patch reaches broad deployment, but post-patch reverse engineering often surfaces within days. Security teams should treat the immediate period after release as a race: get the update deployed before exploitation attempts start. Beyond this specific CVE, the sheer volume of July’s Patch Tuesday underscores the need for rapid, reliable update processes that don’t buckle when a high-severity vulnerability lands alongside dozens of others.