Windows administrators are being urged to apply Microsoft’s June 9, 2026 security updates immediately after the disclosure of a dangerous zero-day vulnerability in the Windows Collaborative Translation Framework (CTF), tracked as CVE-2026-45586. The flaw allows a local attacker with only low-level privileges to escalate directly to SYSTEM — one of the most powerful access levels on any Windows machine.
What Is the Windows Collaborative Translation Framework?
The Windows Collaborative Translation Framework, implemented through the CTFMON process, handles text input services including keyboard, voice recognition, and handwriting on Windows systems. It runs silently in the background on virtually every Windows installation, making it an attractive and wide-reaching target for attackers looking to escalate privileges after gaining initial access to a machine.
CVE-2026-45586 affects an unsafe link-following behavior (classified as CWE-59: Improper Link Resolution Before File Access) in this component. When CTFMON processes file operations, it can be tricked into following attacker-controlled symbolic links or junctions, redirecting those privileged operations to attacker-chosen locations. This is enough to enable arbitrary code execution under the SYSTEM account.
CVSS Score and Exploitability
Microsoft assigned this vulnerability an “Important” severity rating with a CVSS v3.1 base score of 7.8, using the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Breaking this down:
- Local attack vector — the attacker needs to be on the machine, but not remotely
- Low complexity — no specialized knowledge required to exploit
- Low privileges required — a standard user account is sufficient
- No user interaction — the victim does not need to click anything
- High impact on Confidentiality, Integrity, and Availability
Crucially, Microsoft confirmed that this vulnerability was publicly disclosed before a patch was available, making it a true zero-day. While there were no confirmed in-the-wild exploitations at the time of the patch, Microsoft rates it as “Exploitation More Likely” — a strong signal that threat actors will move quickly to weaponize it.
Who Is Affected?
The vulnerability affects a broad range of supported Windows versions:
- Windows 10 (versions 1607, 1809, 21H2, 22H2)
- Windows 11 (versions 23H2, 24H2, 25H2, 26H1)
- Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025
In short: if you run a supported Windows environment, you are likely affected and should patch immediately.
Attack Chain: From Low-Privileged User to SYSTEM
The attack exploits CTFMON’s file handling routines. Because the process runs with elevated privileges and does not safely validate path resolution, an attacker who places a malicious symbolic link or junction in a user-writable directory can cause CTFMON to access or execute files it was never supposed to touch. The chain works like this:
- Attacker gains initial access via phishing, malware, or stolen credentials
- Attacker creates a malicious symbolic link in a user-writable directory
- CTFMON follows the link, performing privileged file operations on attacker-controlled data
- Attacker achieves arbitrary code execution as SYSTEM
This makes CVE-2026-45586 an ideal post-exploitation primitive — it is not typically used to gain initial access, but it dramatically amplifies what an attacker can do once they are inside.
Patches and Recommended Actions
Microsoft released patches on June 9, 2026 as part of the June 2026 Patch Tuesday update. The relevant knowledge base articles include KB5094041/KB5094042 (Server 2012/2012 R2), KB5094122 (Windows 10 1607/Server 2016), KB5094123 (Windows 10 1809/Server 2019), KB5094128 (Server 2022), KB5094127 (Windows 10 21H2/22H2), and KB5093998/KB5094126/KB5095051/KB5094125 for Windows 11 and Server 2025 variants.
Until fully patched, defenders should:
- Monitor CTFMON process activity for anomalous behavior
- Watch for unexpected process trees spawned from low-privilege user contexts
- Detect suspicious symbolic link or junction creation in user-writable paths
- Prioritize patching on high-value servers and critical endpoints
Security vendors are publishing detection signatures and Sigma/YARA rules as part of their June 2026 Patch Tuesday coverage. Given the “Exploitation More Likely” rating and public disclosure before the patch, organizations should treat this as a high-priority update and deploy it without delay.