🌐 Network

HTTP.sys CVE-2026-47291: Quantifying Wormable Risk Across the Windows Server Estate

Three days after the June Patch Tuesday, CVE-2026-47291 in HTTP.sys remains unpatched on a significant proportion of enterprise Windows Server infrastructure. This article maps the attack surface — which services expose HTTP.sys, how the worm propagation would function, and what network controls reduce the blast radius while patching is in progress.

4 min read
#http-sys#cve-2026-47291#wormable#windows-server#iis#network-security#attack-surface#patch-management#exchange#sharepoint

CVE-2026-47291, the wormable HTTP.sys remote code execution vulnerability from the June 2026 Patch Tuesday, is in the HTTP/2 parser of the kernel-mode Windows HTTP driver. Understanding exactly where HTTP.sys is exposed helps enterprise teams prioritise patching and configure compensating network controls.

The HTTP.sys Attack Surface Map

HTTP.sys is not just IIS. It is the kernel component underlying all HTTP-based Windows services:

ServiceDefault InstallHTTP/2 EnabledTypical Port
Internet Information Services (IIS)Optional (common on servers)Yes (2016+)80, 443
Exchange Server 2016/2019/2025YesYes443
SharePoint ServerYesYes80, 443
Windows Admin CenterOptionalYes443
WSUS (Windows Server Update Services)OptionalYes8530, 8531
Windows Remote Management (WinRM)Optional (enabled by policy)Yes5985, 5986
Azure Arc AgentPresent on Arc-managed serversYesLocal + proxied
Remote Desktop GatewayOptionalVaries443

Key finding: Every Windows Server running Exchange, SharePoint, or IIS is exposed to CVE-2026-47291 on port 443 from any network that can reach those services. This is typically the entirety of the enterprise intranet and, for internet-facing deployments, the entire internet.

Worm Propagation Mechanics

A wormable vulnerability does not require an attacker to manually enumerate and exploit each target. The self-propagation path for CVE-2026-47291 would function as follows:

  1. Initial compromise: Attacker exploits CVE-2026-47291 on one reachable Windows Server, achieving SYSTEM privilege
  2. Network enumeration: From the compromised host, the worm enumerates the network for additional HTTP.sys targets (port scanning 80/443/8530/5985 across accessible subnets)
  3. Propagation: For each reachable target with an HTTP/2 service, the worm sends the malicious HTTP/2 payload — achieving SYSTEM on each target
  4. Payload delivery: On each compromised host, the worm deploys the primary payload (ransomware, credential stealer, backdoor, or further propagation agent)

The speed of this propagation depends only on network bandwidth and the number of reachable targets. In a flat enterprise network with hundreds of Windows Servers, propagation from a single initial compromise to complete domain-wide SYSTEM compromise could occur in minutes.

Network Controls as Compensating Measures

For environments where immediate patching is not achievable for all HTTP.sys-exposed servers, network segmentation controls reduce the blast radius of an initial compromise:

WAF/Reverse Proxy HTTP/2 termination: Place a web application firewall or reverse proxy (e.g., Azure Front Door, Cloudflare, F5 BIG-IP, NGINX) in front of all internet-facing IIS, Exchange, and SharePoint servers that terminates HTTP/2 at the proxy and proxies requests to the backend over HTTP/1.1. If the WAF terminates HTTP/2, the malformed HTTP/2 payload never reaches HTTP.sys on the backend servers. Verify your WAF terminates rather than passes through HTTP/2 before relying on this control.

Internal micro-segmentation: Block direct server-to-server HTTP connections between server VLANs and user VLANs where HTTP traffic is not expected. This does not prevent initial exploitation but prevents the worm from propagating from a compromised server to other servers via HTTP.

Disable HTTP/2 on internal services: For internal Windows services (WinRM, WSUS, Windows Admin Center) that do not require HTTP/2 for performance or client compatibility, disable HTTP/2 via the registry:

Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" `
  -Name "EnableHttp2Tls" -Value 0 -Type DWord
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" `
  -Name "EnableHttp2Cleartext" -Value 0 -Type DWord
Restart-Service W3SVC, WinRM -Force

Monitoring for Exploitation Attempts

Until patched, monitor for exploitation indicators:

Network monitoring: Alert on unusual HTTP/2 connection patterns from external IP addresses — specifically connection attempts that result in immediate connection resets or that include unusual content-length or stream-ID values. Exploitation attempts against CVE-2026-47291 will involve malformed HTTP/2 frames that deviate from specification.

Windows Event Log: HTTP.sys errors are logged to the System event log (source: HTTP). Unusual error spikes — particularly around HTTP/2 protocol parsing — may indicate exploitation attempts.

Process monitoring: Post-exploitation activity from HTTP.sys will manifest as unusual child processes spawned by the IIS worker process (w3wp.exe) or the HTTP.sys system process. Alert on processes with parent svchost.exe or w3wp.exe that create network connections or write to sensitive file paths.

Timeline Update

At time of publication (June 12), three days after the patch release:

  • Major cloud Windows Server deployments (Azure VMs, AWS EC2 running Windows) show high patch completion — automated patching in cloud environments enables faster deployment
  • On-premises Windows Server infrastructure: patch deployment rates vary significantly by organisation
  • The Shadowserver Foundation reports ongoing scanning activity against HTTP.sys port 443 consistent with exploitation reconnaissance

The practical implication: organisations that have not yet patched internet-facing Windows Server infrastructure are in an active exploitation window.

Share this article