All posts

CVE-2026-45602: Windows DHCP Flaw, Patch First

Microsoft's June 2026 Patch Tuesday quietly shipped one of the most consequential fixes of the quarter: CVE-2026-45602, a Critical Windows DHCP tampering vulnerability with a CVSS base score of 9.1. It is not in CISA's Known Exploited Vulnerabilities catalog as of this writing, and that is exactly why it belongs at the top of your patch list: the exploit probability is already at 48 percent, and the best time to patch is before a CVE earns its KEV entry, not after.

What CVE-2026-45602 is

CVE-2026-45602 is a tampering vulnerability in the Windows Dynamic Host Configuration Protocol (DHCP) component. DHCP is the service that hands every device on your network its IP address, gateway, and DNS servers; it is the network's source of truth for who talks to whom. A tampering flaw in that layer is Severity Critical by nature, because an attacker who can interfere with DHCP answers can influence how traffic moves through the network without touching a single endpoint.

Three facts frame the urgency:

  • CVSS 9.1 (Critical). Near the top of the scale for impact.
  • EPSS 48 percent. FIRST.org's Exploit Prediction Scoring System puts the probability that this CVE is exploited in the next 30 days at roughly a coin flip. For context, most CVEs sit under 1 percent; anything above 10 percent is unusually high.
  • Not yet in the CISA KEV catalog. No confirmed in-the-wild exploitation so far. That is the window. Once a CVE joins the known exploited vulnerabilities list, you are patching behind attackers instead of ahead of them.

Who is affected

The affected products are the long-lived branch many organizations still run in production:

  • Windows Server 2019
  • Windows 10 Version 1809 (32-bit and x64)

These are exactly the builds that tend to live on domain controllers, file servers, and operational infrastructure: the machines most likely to be running the DHCP Server role or sitting on networks where DHCP integrity matters most.

The Patch Tuesday updates that fix it

Microsoft fixed CVE-2026-45602 across the June 2026 Patch Tuesday cumulative updates. Depending on your build, the fixing update is one of: KB5093998, KB5094041, KB5094042, KB5094122, KB5094123, KB5094125, KB5094126, KB5094127, KB5094128, or KB5095051.

Delivery is the usual set of paths: Windows Update, WSUS, Microsoft Intune, or a direct download from the Microsoft Update Catalog. Each KB link above goes to our live page for that update, with the full CVE list it fixes, its Severity breakdown, and its exploitation status, refreshed daily.

How to prioritize it (and everything else this month)

Patch prioritization comes down to three signals, and they answer different questions:

  • CVSS measures how bad exploitation would be. CVE-2026-45602 scores 9.1: near the top of the scale.
  • EPSS measures how likely exploitation is in the next 30 days. At 48 percent, this CVE is in the top tier of attacker interest.
  • CISA KEV confirms exploitation already happening. This one is not listed yet.

High CVSS plus high EPSS plus no KEV entry is the patch-now profile: maximum damage potential, high attacker interest, and a head start still available. Our free Microsoft patch tracker ranks every current KB by exactly this blend, our exploited this week page lists every new KEV catalog addition across all vendors, and the hottest CVEs and patches page shows where real-world attention is concentrating right now, including this CVE.

Patch it, then keep it patched

One patch cycle does not end the story. Configurations drift, exceptions accumulate, and a server that was compliant in June can quietly miss its update ring by September. That is configuration drift, and it is how patched environments become unpatched ones without anyone deciding it. Continuous drift management closes that loop: baseline what patched-and-configured looks like, detect divergence continuously, and remediate before an auditor or an attacker finds the gap.

For the broader practice, our guide to CVE and vulnerability management for Microsoft 365 covers how to run this as a repeatable weekly motion rather than a monthly scramble.

The bottom line

CVE-2026-45602 has the three ingredients that make a vulnerability worth interrupting your week for: a Critical 9.1 score, a 48 percent exploit probability, and an installed base full of long-lived Windows Server 2019 and Windows 10 1809 machines. The June Patch Tuesday updates fix it. Deploy them, verify the deployment landed everywhere, and let the trackers watch for the day this one shows up in the known exploited vulnerabilities catalog. If you patched now, that day will be someone else's emergency.

Live status for this vulnerability, including its CISA KEV status and EPSS trend, is always current on the CVE-2026-45602 detail page, refreshed multiple times daily from MSRC, CISA, and FIRST.org data.

All posts

Patching across Intune, Windows Autopatch, Defender, Azure, and your endpoint managers: see Senserva patching in action.