Microsoft Patches Actively Exploited Zero-Day in Windows Remote Desktop Services
Microsoft has addressed CVE-2026-21533, a zero-day elevation of privilege vulnerability in Windows Remote Desktop Services (RDS) that attackers are actively exploiting to gain SYSTEM-level access. The flaw, patched in the February 2026 Patch Tuesday updates (released February 10), stems from improper privilege management in RDS components.
With a CVSS score of 7.8 (High), the vulnerability requires low privileges and no user interaction, making it ideal for post-exploitation in RDP environments. CrowdStrike researchers observed an exploit binary that modifies a service configuration registry key, allowing attackers to escalate privileges such as adding a new user to the Administrators group after gaining initial low-privileged local access.
Adam Meyers, CrowdStrike’s Head of Counter Adversary Operations, warned that threat actors may accelerate exploitation or sale of the flaw in the near term. While no specific adversary has been attributed, RDS systems remain prime targets for lateral movement.
Affected Systems
The vulnerability impacts multiple Windows versions, including:
- Windows Server 2025 (KB5075899, KB5075942)
- Windows 11 24H2/23H2 (KB5077181, KB5075941)
- Windows Server 2022/2019/2016/2012 R2 (various KBs)
- Windows 10 22H2/21H2/1607/1809
Microsoft urges immediate patch deployment via Windows Update or the Microsoft Update Catalog, with verification of post-installation builds (e.g., 10.0.26100.32370 for Windows Server 2025).
Mitigation & Hardening
- Disable RDS if unused or restrict access to trusted networks.
- Enforce least privilege and monitor registry changes in RDS services.
- Deploy EDR solutions to detect anomalous privilege escalations.
- Test patches in staging environments due to RDS sensitivity.
The zero-day underscores persistent risks in legacy Windows deployments, with February’s Patch Tuesday addressing 55 total flaws, including five other actively exploited vulnerabilities. Organizations are advised to prioritize RDS hardening to mitigate post-breach escalation risks.
Source: https://cybersecuritynews.com/windows-remote-desktop-services-0-day-vulnerability/
Microsoft TPRM report: https://www.rankiteo.com/company/Microsoft
"id": "Mic1770781934",
"linkid": "Microsoft",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of Windows Server 2025, '
'Windows 11, Windows Server '
'2022/2019/2016/2012 R2, Windows '
'10',
'industry': 'Software',
'location': 'Global',
'name': 'Microsoft',
'size': 'Enterprise',
'type': 'Technology Company'}],
'attack_vector': 'Local',
'customer_advisories': 'Users advised to apply patches immediately and verify '
'post-installation builds.',
'date_publicly_disclosed': '2026-02-10',
'date_resolved': '2026-02-10',
'description': 'Microsoft has addressed CVE-2026-21533, a zero-day elevation '
'of privilege vulnerability in Windows Remote Desktop Services '
'(RDS) that attackers are actively exploiting to gain '
'SYSTEM-level access. The flaw stems from improper privilege '
'management in RDS components and allows attackers to escalate '
'privileges after gaining initial low-privileged local access.',
'impact': {'operational_impact': 'Privilege escalation to SYSTEM-level access',
'systems_affected': 'Windows Remote Desktop Services (RDS)'},
'investigation_status': 'Patched',
'lessons_learned': 'Persistent risks in legacy Windows deployments; '
'importance of RDS hardening to mitigate post-breach '
'escalation risks.',
'post_incident_analysis': {'corrective_actions': 'Patch deployment, RDS '
'hardening, least privilege '
'enforcement, EDR deployment',
'root_causes': 'Improper privilege management in '
'Windows Remote Desktop Services '
'(RDS)'},
'recommendations': ['Immediate patch deployment via Windows Update or '
'Microsoft Update Catalog',
'Disable RDS if unused or restrict access to trusted '
'networks',
'Enforce least privilege and monitor registry changes in '
'RDS services',
'Deploy EDR solutions to detect anomalous privilege '
'escalations',
'Test patches in staging environments due to RDS '
'sensitivity'],
'references': [{'date_accessed': '2026-02-10',
'source': 'Microsoft Patch Tuesday Updates'},
{'date_accessed': '2026-02-10',
'source': 'CrowdStrike Research'}],
'response': {'communication_strategy': 'Public disclosure via Patch Tuesday '
'updates and advisories',
'containment_measures': 'Patch deployment via Windows Update or '
'Microsoft Update Catalog',
'enhanced_monitoring': 'Deploy EDR solutions to detect anomalous '
'privilege escalations',
'remediation_measures': 'Immediate patching, disable RDS if '
'unused, restrict access to trusted '
'networks, enforce least privilege, '
'monitor registry changes',
'third_party_assistance': 'CrowdStrike (research)'},
'stakeholder_advisories': 'Microsoft urges immediate patch deployment; '
'CrowdStrike warns of accelerated exploitation '
'risks.',
'title': 'Microsoft Patches Actively Exploited Zero-Day in Windows Remote '
'Desktop Services (CVE-2026-21533)',
'type': 'Elevation of Privilege',
'vulnerability_exploited': 'CVE-2026-21533'}