CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 10, 2026

Windows Collaborative Translation Framework 0-Day Vulnerability Allows Privilege Escalation

Cybersecurity News Archived Jun 10, 2026 ✓ Full text saved

Windows administrators should quickly deploy Microsoft’s June 9, 2026 security updates to fix a newly disclosed zero‑day in the Windows Collaborative Translation Framework (CTFMON), tracked as CVE‑2026‑45586. The flaw allows a local attacker with low privileges to escalate to SYSTEM, making it a valuable post‑exploitation primitive for threat actors. Windows CTF 0-Day Vulnerability CVE‑2026‑45586 is […] The post Windows Collaborative Translation Framework 0-Day Vulnerability Allows Privilege Esc

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Windows Collaborative Translation Framework 0-Day Vulnerability Allows Privilege Escalation By Abinaya June 10, 2026 Windows administrators should quickly deploy Microsoft’s June 9, 2026 security updates to fix a newly disclosed zero‑day in the Windows Collaborative Translation Framework (CTFMON), tracked as CVE‑2026‑45586. The flaw allows a local attacker with low privileges to escalate to SYSTEM, making it a valuable post‑exploitation primitive for threat actors. Windows CTF 0-Day Vulnerability CVE‑2026‑45586 is an elevation-of-privilege vulnerability in the Windows Collaborative Translation Framework, which is implemented by the CTFMON process used for text, voice, and handwriting input. The underlying bug is classified as CWE‑59: Improper Link Resolution Before File Access, also known as unsafe “link following.” Because of this weakness, CTFMON can be tricked into following attacker‑controlled links and accessing or executing files with elevated privileges. Microsoft assigned the issue an “Important” severity rating and a CVSS v3.1 base score of 7.8, with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that the attack is local, low-complexity, requires only low privileges, and does not require user interaction, but can severely impact confidentiality, integrity, and availability. Microsoft confirms that CVE‑2026‑45586 was publicly disclosed before a patch was available, so it is treated as a zero‑day. At the time of release, there were no reports of in‑the‑wild exploitation, but Microsoft’s exploitability index rates it as “Exploitation More Likely.” Several Patch Tuesday analyses call out this CTFMON bug as one of the key zero‑days in the June 2026 batch. If successfully exploited, the vulnerability allows an attacker to gain full SYSTEM privileges. This makes it particularly useful for attackers who already have an initial foothold via phishing, malware, or stolen credentials and are looking to move from a standard user context to complete control of the endpoint. CVE‑2026‑45586 affects a broad range of supported Windows client and server versions, including Windows 10, Windows 11, and Windows Server families. Microsoft has released patches for Windows Server 2012 and 2012 R2, Windows Server 2016, 2019, 2022, and 2025, as well as Windows 10 Versions 1607, 1809, 21H2, 22H2, and Windows 11 Versions 23H2, 24H2, 25H2, and 26H1 on x64 and ARM64 where applicable. Each platform is remediated via a specific KB, such as KB5094041/KB5094042 (Server 2012/2012 R2), KB5094122 (Windows 10 1607/Server 2016), KB5094123 (Windows 10 1809/Server 2019), KB5094128 (Server 2022), KB5094127 (Windows 10 21H2/22H2), KB5093998, KB5094126, KB5095051, and KB5094125 for Windows 11 and Windows Server 2025 variants. Microsoft lists these as official fixes with confirmed report confidence. The attack abuses unsafe link‑following in CTFMON’s file handling, allowing malicious links (such as symbolic links or junctions) in user‑writable paths to redirect privileged file operations toward attacker‑controlled locations. Once chained correctly, this can lead to arbitrary code execution as SYSTEM from a low‑privilege context. Security vendors are already publishing signatures, rules, and guidance for this vulnerability as part of their June 2026 Patch Tuesday coverage. Until patches are fully deployed, defenders should closely monitor CTFMON activity, abnormal process trees from low‑privilege users, and suspicious link creation in user‑writable directories, while prioritizing rapid patch rollout on high‑value servers and endpoints. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News UniFi OS Server Critical RCE Chain Allows Root Access Without Credentials OWASP CVE Lite CLI – New Tool to Scan for Vulnerabilities in Your Projects CISA Warns of critical Magento Cache Warmer RCE flaw Exploited in Attacks Slow Triage Is Raising Business Risk. Here’s How SOC Teams Cut Investigation Time  Anthropic’s Claude Oceanus-v1-p Opens to Red Team Testing, but Distribution is Compromised Latest News ANY.RUN Slow Triage Is Raising Business Risk. Here’s How SOC Teams Cut Investigation Time  Cyber Security News Windows RDP Vulnerabilities Allow Attacker to Expose Sensitive Data Cyber Security News Critical OpenSSL Vulnerabilities Enable Remote Code Execution Attacks Press Release Cloud Security Report Finds Fragmented Tools Widening the Cloud Complexity Gap Cyber Security News 73 Microsoft Packages Weaponized to Deploy Password Stealer Malware
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 10, 2026
    Archived
    Jun 10, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗