Windows RDP 0-Day Exploited: Critical Remote Desktop
Microsoft has patched CVE-2026-21533, a zero-day elevation of privilege vulnerability affecting Windows Remote Desktop Services (RDS). Attackers are actively exploiting this critical flaw in the...
Microsoft has patched CVE-2026-21533, a zero-day elevation of privilege vulnerability affecting Windows Remote Desktop Services (RDS). Attackers are actively exploiting this critical flaw in the wild, enabling them to gain SYSTEM-level access.
The flaw stems from improper privilege management and was addressed in the February 2026 Patch Tuesday updates released on February 10.
CVE-2026-21533 carries a CVSS v3.1 base score of 7.8 (High), with a local attack vector, low complexity, and low privileges required. It requires no user interaction and affects the unchanged scope, impacting confidentiality, integrity, and availability at high levels. Microsoft classifies it as “Important,” noting that exploitation is functional with an official fix available.
The vulnerability arises from flawed privilege handling in RDS components. CrowdStrike observed an exploit binary that modifies a service configuration registry key, substituting it with an attacker-controlled one.
This alteration enables privilege escalation, such as adding a new user to the Administrators group, granting full SYSTEM privileges. Attackers need initial low-privileged local access, making it ideal for post-exploitation in RDP environments.
Adam Meyers, CrowdStrike’s Head of Counter Adversary Operations, warned: “Threat actors possessing the exploit binaries will likely accelerate their attempts to use or sell CVE-2026-21533 in the near term.” No specific adversary attribution exists yet, but RDS systems are prime lateral movement targets.
Affected Systems
The flaw impacts numerous Windows versions, primarily servers with RDS enabled.
| Product | KB Article | Build Number |
|---|---|---|
| Windows Server 2025 | KB5075899, KB5075942 | 10.0.26100.32370 |
| Windows 11 24H2 (x64/ARM64) | KB5077181, KB5077212 | 10.0.26100.7840 |
| Windows Server 2022 | KB5075906, KB5075943 | 10.0.20348.4773 |
| Windows 11 23H2 (x64/ARM64) | KB5075941 | 10.0.22631.6649 |
| Windows Server 2019 | KB5075904 | 10.0.17763.8389 |
| Windows 10 22H2 (various) | KB5075912 | 10.0.19045.6937 |
| Windows Server 2016 | KB5075999 | 10.0.14393.8868 |
| Windows Server 2012 R2 | KB5075970 | 6.3.9600.23022 |
Additional versions include Windows Server 2012, Windows 10 21H2/1607/1809, and Windows 11 25H2/26H1.
Microsoft urges immediate deployment of the Monthly Rollup or Security Updates via Windows Update or the Microsoft Update Catalog. For Server Core installs, targeted KBs ensure compatibility. Verify builds post-installation, e.g., 10.0.26100.32370 for Windows Server 2025.
Mitigation Steps
- Disable RDS if unused; restrict to trusted networks.
- Enforce least privilege; monitor registry changes in RDS services.
- Deploy EDR for anomalous privilege escalations.
- Test patches in staging environments due to RDS sensitivity.
This zero-day highlights ongoing risks in legacy Windows deployments amid Patch Tuesday’s 55 flaws, including five other exploited issues. Organizations should prioritize RDS hardening to curb post-breach escalation.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.