🔴 Critical  |  Source: Microsoft Security Response Center


A heap-based buffer overflow vulnerability in Windows Active Directory Domain Services allows an unauthenticated attacker to remotely execute arbitrary code over a network without any user interaction. Active Directory is the backbone of identity and access management in most enterprise Windows environments, meaning a successful exploit could grant an attacker deep control over an organisation’s entire directory infrastructure. This makes it an exceptionally high-impact vulnerability, particularly for hybrid cloud environments where on-premises AD is federated with Azure Active Directory (Entra ID).

Security Architect’s Take: Prioritise patching all Domain Controllers immediately, as unauthenticated remote code execution on AD DS is effectively a full domain compromise vector. If your organisation runs a hybrid identity model with Azure Entra ID, also review your federated trust configurations and monitor for anomalous authentication activity whilst the patch is deployed.

Original advisory: CVE-2026-49164 Windows Active Directory Domain Services Remote Code Execution Vulnerability