Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    Goat Feed · KEV

    CISA KEV: Microsoft Windows CVE-2026-20805 - Windows Information Disclosure Vulnerability

    Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally.

    Back to the daily feed
    KEV
    critical

    BGC Risk Score

    Blue Goat Cyber MedTech rubric v1.0 · methodology

    4.2
    of 10
    notable
    CVSS technical
    40% · +1.6

    Not published

    Patient safety
    35% · +0.7

    No direct patient impact inferred

    Exploit maturity
    15% · +1.5

    On CISA KEV (in-the-wild)

    MedTech exposure
    10% · +0.4

    4/10 network-reachable signals

    How we got to 4.2

    1. 1
      CVSS technical severity (40%)

      Industry-standard exploitability + impact score. We prefer CVSS 4.0 and fall back to 3.1 per the FDA's Feb 2026 premarket cybersecurity guidance. Missing CVSS scores get a neutral 4.0 so unknown vulns are not over- or under-rated.

      No CVSS published yet · neutral 4.0 × 40% = +1.60
    2. 2
      Patient safety impact (35%)

      What happens to a patient if this vuln is exploited on a connected device. Auto-inferred from headline, dek, tags, and device class against a curated MedTech keyword library (pacemaker, infusion pump, EHR, PACS, etc.).

      No direct patient impact inferred → 2 × 35% = +0.70
    3. 3
      Exploit maturity (15%)

      Is anyone actually using this in attacks? KEV listing > weaponized exploit > public PoC > none. KEV alone forces tier=critical regardless of CVSS.

      On CISA KEV (in-the-wild) → 10 × 15% = +1.50
    4. 4
      MedTech exposure (10%)

      How likely this affects clinical operations: presence in our MedTech feed (+4 baseline), network-reachable signals (+3), known device-class tags (+2), identified MedTech vendor (+1).

      Exposure 4/10 × 10% = +0.40

    Tier cutoffs: Critical ≥ 8.5 · High 7.0–8.4 · Notable 4.0–6.9 · Info < 4.0. Full methodology, weights, and changelog at /goatfeed/risk-rubric.

    CVE: CVE-2026-20805

    Vendor / product: Microsoft Windows

    KEV added: 2026-01-13 · Federal due date: 2026-02-03

    Vulnerability

    Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally.

    Required action

    Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

    Citations
    #kev#cve#microsoft
    Need help acting on this?

    Talk to Blue Goat Cyber

    Penetration testing, SBOM, threat modeling, and 524B submission support for MedTech.