The CVE-2026-21533 vulnerability in Windows Remote Desktop Services allows low-privileged local attackers to elevate to SYSTEM level, confirmed exploited in the wild. This Windows RDS zero-day exploits improper privilege management, targeted by binaries modifying RDS service registry keys to attacker-controlled processes.
Enterprises with RDS deployments face heightened risks of post-breach dominance, compromising administrative integrity, data confidentiality, and system availability across servers and endpoints. February 10 Patch Tuesday updates address it amid 55 flaws, five exploited.
Flaw Characteristics
CVSS v3.1 score 7.8 (High) reflects local vector, low complexity, no interaction. Microsoft rates “Important” with functional exploits pre-patch. RDS components mishandle privileges, ideal for RDP lateral movement.
| CVE Identifier | Vulnerability Description | CVSS Score |
|---|---|---|
| CVE-2026-21533 | RDS privilege escalation to SYSTEM | 7.8 |
Impacted Windows Versions
Broad exposure across client and server editions with RDS.
| Product | KB Article Examples | Post-Patch Build Example |
|---|---|---|
| Windows Server 2025 | KB5075899, KB5075942 | 10.0.26100.32370 |
| Windows 11 24H2 | KB5077181, KB5077212 | 10.0.26100.7840 |
| Windows Server 2022 | KB5075906, KB5075943 | 10.0.20348.4773 |
| Windows 11 23H2 | KB5075941 | 10.0.22631.6649 |
| Windows Server 2019 | KB5075904 | 10.0.17763.8389 |
| Windows 10 22H2 | KB5075912 | 10.0.19045.6937 |
| Windows Server 2016 | KB5075999 | 10.0.14393.8868 |
| Windows Server 2012 R2 | KB5075970 | 6.3.9600.23022 |
Spans Windows Server 2012, Windows 10 21H2/1809/1607, Windows 11 25H2/26H1.
Exploitation Insights
CrowdStrike identified binaries swapping registry for malicious ones, adding users to Administrators. Head Adam Meyers predicts exploit sales acceleration. Low priv entry suffices, amplifying RDP compromises.
Deployment options table aids admins.
| Method | Availability | Considerations |
|---|---|---|
| Windows Update | Automatic Rollups | Preferred for most |
| Microsoft Catalog | Manual KBs | Offline/air-gapped |
| Server Core | Specific KBs | Compatibility ensured |
Protective Measures
Apply patches via Update Catalog if needed. Disable RDS where unnecessary, confine to trusted segments. Implement least privilege, EDR for registry anomalies. Test in labs due to RDS dependencies. Monitor Patch Tuesday’s exploited vulnerabilities.
Windows RDS zero-day CVE-2026-21533 facilitates swift SYSTEM takeover in sessions, enabling domain-wide threats. Microsoft February 2026 patches eliminate the privilege flaw, per official guidance.
No Comment! Be the first one.