TL;DR: A Critical Windows DHCP tampering flaw, CVE-2026-45602, carries a 9.1 CVSS score and a 48 percent EPSS exploitation probability, according to Senserva, making pre-KEV patching the practical priority for exposed Windows Server and Windows 10 1809 estates. The issue underscores how network control-plane weaknesses can turn routine patching into identity and routing governance work, not just vulnerability hygiene.
At a glance
What this is: This is a Critical Windows DHCP tampering vulnerability, CVE-2026-45602, with a 9.1 CVSS score and a 48 percent EPSS exploitation probability that makes early patching the clear priority.
Why it matters: It matters because DHCP integrity influences how clients receive network configuration, so a flaw here can undermine trust in traffic routing and adjacent access controls across Windows estates.
By the numbers:
- CVE-2026-45602 has a CVSS base score of 9.1.
- The exploit probability is already at 48 percent.
👉 Read Senserva's analysis of CVE-2026-45602 and June Patch Tuesday
Context
Windows DHCP is a control-plane service, not just a utility. It assigns IP addresses, gateways, and DNS settings, so tampering at this layer can steer traffic and disrupt trust across the network before an endpoint ever detects a problem. For identity and access teams, that matters because access decisions often depend on a stable network baseline.
The article's core point is that patch timing is now a governance decision, not a housekeeping task. When a high-scoring flaw also shows elevated exploitation probability, teams need to treat remediation as an exposure-window problem, especially on long-lived Windows Server and workstation builds that anchor shared infrastructure.
Key questions
Q: What breaks when a Windows DHCP tampering flaw is left unpatched?
A: An attacker who can tamper with DHCP responses can influence how clients receive network configuration, which can redirect traffic, distort DNS resolution, or disrupt service reachability. The failure is at the trust boundary, not the endpoint. That is why early patching matters more than waiting for confirmation of active exploitation.
Q: Why do high EPSS scores matter for vulnerability prioritisation?
A: EPSS adds a likelihood lens that CVSS does not provide. A high score means attackers are more likely to exploit the issue in the near term, so remediation should move ahead of lower-probability vulnerabilities with similar severity. It helps teams spend limited patch capacity where exposure is most likely to convert into compromise.
Q: How do security teams know whether patching is keeping up with real risk?
A: Patching is keeping up only when the most recently exploited vulnerabilities are being closed quickly and the backlog of exposed assets is shrinking. Age-based patch metrics are not enough. Teams should measure time to remediate KEV items, exposure on internet-facing systems, and repeat findings across the same asset classes.
Q: Who is accountable when critical patches miss their service level agreement?
A: Accountability should be shared across security, operations, and application owners, but it must be explicit in policy. If SLAs are missed repeatedly, the issue is no longer just a technical backlog. It becomes a governance failure that requires escalation, exception approval, and executive visibility until the exposure is closed.
Technical breakdown
Why DHCP tampering is a control-plane issue
DHCP supplies the network parameters devices use to join and communicate, including IP address, gateway, and DNS configuration. If an attacker can tamper with that exchange, they can redirect traffic, disrupt name resolution, or shape how endpoints reach services without needing endpoint code execution. That makes the weakness more than a local bug. It becomes a trust failure in the network's addressing and routing layer, where a single compromised response can influence many clients at once.
Practical implication: validate DHCP integrity and patch server-side components before attackers can influence network configuration at scale.
How CVSS and EPSS together change prioritisation
CVSS measures likely impact if exploitation succeeds, while EPSS estimates the probability of exploitation in the near term. Used together, they help distinguish high-severity issues that are merely theoretical from those likely to attract immediate attacker attention. A 9.1 score with a 48 percent EPSS profile is not a backlog item. It is a patch-now signal, particularly when the affected systems sit on core infrastructure paths.
Practical implication: use both severity and exploitability to drive patch order, not CVSS alone.
Why configuration drift turns a patched estate back into a risk
A vulnerability fix only reduces exposure if the update lands everywhere and the system stays aligned with the intended baseline. Configuration drift occurs when exceptions, missed deployments, or later changes move systems away from that baseline over time. For network services, that is especially dangerous because a single unpatched server can remain authoritative for many clients. Continuous verification matters more than one-time remediation.
Practical implication: pair patching with continuous compliance checks so vulnerable hosts do not re-enter the trusted set.
Threat narrative
Attacker objective: The attacker aims to steer network traffic and weaken client trust in routing and name resolution without compromising each endpoint individually.
- Entry occurs when an attacker targets the Windows DHCP component and manipulates DHCP responses rather than attacking individual endpoints.
- Escalation happens because the tampered network configuration can influence how multiple devices resolve gateways or DNS, expanding control across the environment.
- Impact follows when traffic is redirected, service reachability is altered, or downstream trust assumptions in the network stack are undermined.
Breaches seen in the wild
- Gladinet Hard-Coded Keys RCE Exploitation — Actively exploited hard-coded keys in Gladinet CentreStack and Triofox enable remote code execution.
- Gravity SMTP CVE-2026-4020 API Keys Exposure — CVE-2026-4020 in Gravity SMTP exposes API keys via single HTTP request across 100,000 WordPress sites.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
DHCP tampering is a trust boundary problem, not just a vulnerability item. When a core network service can be influenced, the attacker does not need to own every endpoint to shape enterprise behaviour. That makes the weakness relevant to identity and access programmes because network trust often underpins where authentication, policy enforcement, and service reachability succeed or fail. Practitioners should treat this as control-plane governance, not isolated server patching.
Exposure-window management is the real control gap here. The article's emphasis on EPSS is the right one because high likelihood matters more than abstract severity when remediation capacity is finite. The named concept here is pre-KEV exposure window: the period when a vulnerability is already attractive to attackers but has not yet entered the public known-exploited catalogue. Teams that wait for KEV are accepting avoidable risk.
Configuration drift converts one successful remediation into recurring exposure. The problem is not only whether the update exists, but whether the affected Windows builds remain aligned with the intended baseline after exceptions, missed rings, or delayed maintenance. That is a recurring governance failure in operational environments, and it argues for continuous verification over monthly patch rituals. Practitioners should measure drift as aggressively as they measure patch coverage.
Identity programmes should care because network integrity controls the conditions under which identity controls work. If routing, DNS, or gateway trust can be manipulated, downstream identity checks may still function while the environment they protect is already being shaped by an attacker. This is where NIST CSF and access-control thinking intersect with infrastructure resilience. Practitioners should align patch governance with trust-boundary assurance, not treat them as separate workstreams.
From our research:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- From our research: 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- For related analysis: Read The 52 NHI breaches Report for real-world cases that show how exposed credentials and over-privilege turn into compromise.
What this signals
Pre-KEV exposure window: teams should treat high-EPSS critical flaws as a separate governance class, because waiting for public exploitation confirmation leaves too little time to reduce exposure. The operational signal is simple: if the asset is core infrastructure and the likelihood score is already high, patching should outrun normal change cadence.
Network trust failures often cascade into identity governance because authentication, authorization, and service reachability depend on stable routing and naming. The practical response is to align vulnerability management with trust-boundary assurance and to monitor any control plane that can alter how users or workloads arrive at services.
For practitioners running identity-heavy programmes, the lesson is to connect patch SLAs to control criticality. Where DHCP, DNS, and gateway trust support access pathways, missed updates are not generic hygiene issues. They are potential enablers of broader access disruption, so they belong in the same risk review as privileged identity gaps.
For practitioners
- Prioritise high-EPSS critical patches first Move CVE-2026-45602 into the front of the patch queue for any Windows Server 2019 or Windows 10 Version 1809 systems, especially hosts that provide or depend on DHCP. Use exploit probability and asset role together, then verify closure before the next maintenance window.
- Verify DHCP server coverage after deployment Confirm that the June 2026 cumulative update landed on every exposed build through Windows Update, WSUS, Intune, or the Microsoft Update Catalog. Do not rely on one successful ring, because drift and missed exceptions can leave a single authoritative server unpatched.
- Audit network trust dependencies around DHCP Map which segments, servers, and identity-critical services rely on DHCP integrity for routing or name resolution. Where those dependencies are high, add compensating monitoring for unexpected DHCP behaviour and treat changes to server role membership as a control event.
- Track configuration drift continuously Baseline the patched state for affected Windows systems and compare it continuously against live configuration. If a server falls out of compliance, remediate before the gap becomes visible to auditors or exploitable by an attacker.
Key takeaways
- CVE-2026-45602 is dangerous because it attacks a trust boundary that shapes network behaviour, not just a single endpoint.
- A 9.1 CVSS score and 48 percent EPSS estimate place this flaw in the patch-now category before any KEV listing appears.
- Continuous drift monitoring is the control that turns a one-time fix into lasting risk reduction for shared Windows infrastructure.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.IP-12 | Patch governance and drift control are central to this Windows vulnerability analysis. |
| NIST SP 800-53 Rev 5 | SI-2 | SI-2 covers flaw remediation for the affected Windows components. |
| CIS Controls v8 | CIS-7 , Continuous Vulnerability Management | The article is fundamentally about prioritising and closing a high-risk vulnerability quickly. |
| MITRE ATT&CK | TA0007 , Discovery; TA0001 , Initial Access | DHCP tampering supports reconnaissance and network influence that can precede broader abuse. |
Map the weakness to ATT&CK and watch for traffic-shaping behaviour around network configuration.
Key terms
- DHCP Tampering: DHCP tampering is interference with the process that assigns network settings such as IP address, gateway, and DNS. When an attacker can alter those responses, they can change how devices reach services, making the network layer itself part of the attack surface.
- Exploit Prediction Scoring System: A daily-updated score that estimates the likelihood a vulnerability will be exploited in the near term. It does not replace severity scoring, but it adds probability context that helps teams order work before exploitation becomes widespread.
- Configuration Drift: Configuration drift is the gradual divergence between a system's intended secure state and the settings it actually runs with over time. In SaaS, drift often appears when admins change sharing, logging, or access controls under pressure and never return to validate the result.
What's in the full analysis
Senserva's full analysis covers the operational detail this post intentionally leaves for the source:
- Exact KB mappings for each affected Windows build and delivery path
- Live exploitation-status tracking across Microsoft, CISA, and FIRST.org data feeds
- Patch prioritisation workflow using CVSS, EPSS, and KEV together
- The accompanying vulnerability management tracker and related update pages
👉 Senserva's full post covers the KB list, exploitability signals, and patch tracking details
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps security practitioners connect identity controls to the wider operational risks that shape real-world exposure.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org