Microsoft fixes Windows CTFMON zero-day that can give attackers SYSTEM privileges

Microsoft has fixed a Windows Collaborative Translation Framework vulnerability that could let a local attacker gain SYSTEM privileges on an affected Windows device.

The flaw is tracked as CVE-2026-45586 and was addressed in Microsoft’s June 9, 2026 security updates. The Microsoft advisory describes it as an elevation of privilege issue in Windows Collaborative Translation Framework, also known through the CTFMON process.

This matters because the bug does not give attackers initial access by itself. Instead, it can help someone who already has low-level access to a Windows machine move up to SYSTEM, which is one of the highest privilege levels on Windows.

What CVE-2026-45586 does

CVE-2026-45586 stems from improper link resolution before file access, often described as unsafe link following. The CVE record says the issue allows an authorized attacker to elevate privileges locally through Windows Collaborative Translation Framework.

Microsoft rated the vulnerability as Important, with a CVSS score of 7.8. According to Qualys’ June 2026 Patch Tuesday review, successful exploitation may allow an attacker to gain SYSTEM privileges.

The Zero Day Initiative also listed CVE-2026-45586 among the publicly disclosed vulnerabilities fixed this month. Its June 2026 Security Update Review lists the flaw as public, not exploited, and categorized as an elevation of privilege vulnerability.

CVE	CVE-2026-45586
Component	Windows Collaborative Translation Framework, CTFMON
Vulnerability type	Elevation of privilege
Bug class	Improper link resolution before file access
Severity	Important
CVSS score	7.8
Attack requirement	Local access with low privileges
Publicly disclosed	Yes
Exploited in attacks at release	No public exploitation listed in major Patch Tuesday tracking

Why administrators should prioritize the patch

Privilege escalation flaws often become useful after phishing, malware infection, stolen credentials, or abuse of an exposed remote access tool. An attacker who starts with a standard user account may use a local elevation bug to take fuller control of the endpoint.

That is why CVE-2026-45586 deserves attention even though it is not a remote code execution flaw. BleepingComputer’s Patch Tuesday coverage reported that Microsoft patched the CTFMON issue as a publicly disclosed zero-day that can grant SYSTEM privileges.

The vulnerability also arrived in a large June Patch Tuesday release. Qualys counted 206 Microsoft vulnerabilities in the June 2026 updates, including 33 critical and 167 important-severity issues.

Affected Windows versions and update packages

The fix is available through Microsoft’s June 2026 cumulative updates and security rollups. Organizations should verify patch deployment across Windows clients, servers, virtual desktops, and systems that rely on extended security updates.

Patch tracking from ManageEngine shows CVE-2026-45586 being addressed across supported Windows 10, Windows 11, and Windows Server versions, including the Windows 11 KB5093998, KB5094126, and KB5095051 cumulative updates.

Platform	June 2026 update package
Windows 11 version 23H2	KB5093998
Windows 11 versions 24H2 and 25H2	KB5094126
Windows 11 version 26H1	KB5095051
Windows 10 versions 21H2 and 22H2	KB5094127
Windows 10 version 1607 and Windows Server 2016	KB5094122
Windows 10 version 1809 and Windows Server 2019	KB5094123
Windows Server 2022 and Microsoft server operating system version 21H2	KB5094128
Microsoft server operating system version 24H2	KB5094125
Windows Server 2012 and Windows Server 2012 R2 under ESU	KB5094042 and KB5094041

What defenders should do now

Administrators should install the June 2026 Windows security updates as soon as practical, especially on shared workstations, jump boxes, Remote Desktop hosts, developer machines, and servers where a local privilege escalation bug could make an existing intrusion worse.

The CVE-2026-45586 page remains the main Microsoft source for the advisory, affected products, severity rating, and update guidance. Security teams should use it to confirm which systems need the fix.

• Check that June 2026 cumulative updates have installed successfully.
• Prioritize internet-facing servers and systems used by administrators.
• Review endpoint alerts involving ctfmon.exe, unusual child processes, or suspicious link creation in user-writable folders.
• Harden local user permissions where possible.
• Investigate any low-privilege account activity that attempts to run tools from temporary folders or profile paths.

Security teams should also avoid treating this bug as a standalone compromise path. The more realistic risk is attack chaining, where an intruder first gains access through another method and then uses a local elevation flaw to expand control.

How CVE-2026-45586 fits into June Patch Tuesday

June 2026 was a heavy Patch Tuesday for Microsoft products. BleepingComputer reported that the month’s updates fixed six zero-day vulnerabilities and 200 flaws overall, while other security vendors counted the release differently based on which products and bundled components they included.

For CVE-2026-45586 specifically, the key point is simpler. The CVE Program entry identifies the issue as a local privilege escalation bug in Windows Collaborative Translation Framework caused by link following.

The Zero Day Initiative review also shows the flaw as publicly disclosed before patch availability and not exploited at the time of its June Patch Tuesday analysis.

That makes the June updates important for both home users and enterprises. For businesses, the greater concern is lateral movement and post-exploitation activity. For individual users, the most practical step is to install the latest Windows updates and restart the device when prompted.

FAQ