Windows Remote Desktop Services 0-Day Vulnerability Exploited in the Wild to Escalate Privileges

Microsoft has patched CVE-2026-21533, a zero-day elevation of privilege vulnerability in Windows Remote Desktop Services (RDS) that attackers are exploiting in the wild to gain SYSTEM-level access.

The flaw stems from improper privilege management and was addressed in the February 2026 Patch Tuesday updates released on February 10.

CVE-2026-21533 carries a CVSS v3.1 base score of 7.8 (High), with a local attack vector, low complexity, and low privileges required. It requires no user interaction and affects the unchanged scope, impacting confidentiality, integrity, and availability at high levels. Microsoft classifies it as “Important,” noting that exploitation is functional with an official fix available.

The vulnerability arises from flawed privilege handling in RDS components. CrowdStrike observed an exploit binary that modifies a service configuration registry key, substituting it with an attacker-controlled one.

This alteration enables privilege escalation, such as adding a new user to the Administrators group, granting full SYSTEM privileges. Attackers need initial low-privileged local access, making it ideal for post-exploitation in RDP environments.

Adam Meyers, CrowdStrike’s Head of Counter Adversary Operations, warned: “Threat actors possessing the exploit binaries will likely accelerate their attempts to use or sell CVE-2026-21533 in the near term.” No specific adversary attribution exists yet, but RDS systems are prime lateral movement targets.

Affected Systems

The flaw impacts numerous Windows versions, primarily servers with RDS enabled.

Product	KB Article	Build Number
Windows Server 2025	KB5075899, KB5075942	10.0.26100.32370
Windows 11 24H2 (x64/ARM64)	KB5077181, KB5077212	10.0.26100.7840
Windows Server 2022	KB5075906, KB5075943	10.0.20348.4773
Windows 11 23H2 (x64/ARM64)	KB5075941	10.0.22631.6649
Windows Server 2019	KB5075904	10.0.17763.8389
Windows 10 22H2 (various)	KB5075912	10.0.19045.6937
Windows Server 2016	KB5075999	10.0.14393.8868
Windows Server 2012 R2	KB5075970	6.3.9600.23022

Additional versions include Windows Server 2012, Windows 10 21H2/1607/1809, and Windows 11 25H2/26H1.

Microsoft urges immediate deployment of the Monthly Rollup or Security Updates via Windows Update or the Microsoft Update Catalog. For Server Core installs, targeted KBs ensure compatibility. Verify builds post-installation, e.g., 10.0.26100.32370 for Windows Server 2025.

Mitigation Steps

• Disable RDS if unused; restrict to trusted networks.
• Enforce least privilege; monitor registry changes in RDS services.
• Deploy EDR for anomalous privilege escalations.
• Test patches in staging environments due to RDS sensitivity.

This zero-day highlights ongoing risks in legacy Windows deployments amid Patch Tuesday’s 55 flaws, including five other exploited issues. Organizations should prioritize RDS hardening to curb post-breach escalation.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Windows Remote Desktop Services 0-Day Vulnerability Exploited in the Wild to Escalate Privileges appeared first on Cyber Security News.