Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Windows Remote Desktop Services Elevation of Privilege

IdentifiersCVE-2026-21533CWE-269· Improper Privilege Management

CVE-2026-21533 is an elevation-of-privilege vulnerability in Microsoft Windows Remote Desktop Services caused by improper privilege management. The issue allows an authorized attacker with local access and a low-privileged account to exploit a logic/privilege-handling flaw in the Remote Desktop Services component and elevate privileges on the affected host. Multiple sources in the provided content state that successful exploitation can result in execution with SYSTEM privileges. Reporting in the supplied context further indicates observed in-the-wild exploitation and describes exploit behavior involving modification of a service configuration key with an attacker-controlled key to facilitate privilege escalation and the addition of a user to the local Administrators group, although the exact vulnerable function or code path is not provided in the source material.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local authenticated/authorized attacker to escalate from a standard or otherwise low-privileged context to SYSTEM on the affected Windows system. This level of access can enable full administrative control of the host, including execution of arbitrary code as SYSTEM, disabling or tampering with security tools, creating or modifying privileged accounts, accessing credentials and sensitive data, establishing persistence, and using the compromised system for further lateral movement or follow-on activity.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling Remote Desktop Services where not strictly required, restricting RDS access to trusted/admin-managed networks, and limiting local logon opportunities for untrusted users. Increase monitoring for privilege-escalation behavior, especially anomalous registry or service-configuration changes and unauthorized additions to the local Administrators group, as these behaviors are specifically referenced in the provided reporting. Deploy or tune EDR detections for local privilege-escalation attempts involving RDS-related processes and service configuration changes. These measures are compensating controls only and do not replace vendor patching.

Remediation

Patch, then assume compromise.

Apply Microsoft's February 2026 security updates for all affected Windows versions. The provided content indicates affected platforms include multiple Windows 10 and Windows 11 releases as well as Windows Server 2012/2012 R2, 2016, 2019, 2022, and 2025. Example update mappings in the supplied material include KB5075912 for Windows 10 21H2/22H2, KB5075941 for Windows 11 23H2, KB5077181/KB5077212 for Windows 11 24H2/25H2, KB5075904 for Windows Server 2019 and Windows 10 1809, KB5075999 for Windows Server 2016 and Windows 10 1607, KB5075906 for Windows Server 2022, KB5075897 for Windows Server 2022 23H2, KB5075899/KB5075942 for Windows Server 2025, KB5075970 for Windows Server 2012 R2, and KB5075971 for Windows Server 2012. Organizations should validate patch deployment across all supported systems and prioritize this CVE because the content states it is actively exploited and listed in CISA KEV.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 7 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 7 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows 10 1607operating_system
Microsoft CorporationWindows 10 1809operating_system
Microsoft CorporationWindows 10 21h2operating_system
Microsoft CorporationWindows 10 22h2operating_system
Microsoft CorporationWindows 11 23h2operating_system
Microsoft CorporationWindows 11 24h2operating_system
Microsoft CorporationWindows 11 25h2operating_system
Microsoft CorporationWindows 11 26h1operating_system
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Server 2012 R2operating_system
Microsoft CorporationWindows Server 2016operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system
Microsoft CorporationWindows Server 2022 23h2operating_system
Microsoft CorporationWindows Server 2025operating_system
Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

69 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

69 SOURCESView more in app
securelistNews
Apr 16, 2026
The vulnerability landscape in Q1 2026 | Securelist

A logic vulnerability in Remote Desktop Services components that enables privilege escalation to SYSTEM by modifying registry-based service parameters.

Read more
flareio blogNews
Mar 13, 2026
Cybercrime Intelligence After February 2026 Patch Tuesday - Flare

An elevation of privilege vulnerability in Windows Remote Desktop Services that was exploited in the wild against U.S. and Canada-based entities, likely useful after initial RDP access.

Read more
recorded future blogNews
Mar 12, 2026
February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January

A vulnerability for which an alleged exploit is being advertised for sale; no further technical details are provided in the content.

Read more
cyber security newsNews
Mar 8, 2026
Hackers Allegedly Selling Exploit for Windows Remote Desktop Services 0-Day Flaw

A high-severity Windows Remote Desktop Services Elevation of Privilege (EoP) vulnerability caused by improper privilege management, allowing an authorized standard user to locally escalate to administrative control.

Read more
+26 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures3

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity34

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-21533
NVD
nvd.nist.gov/vuln/detail/CVE-2026-21533
MITRE CWE · CWE-269
Improper Privilege Management
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21533
Mitigation
vicarius.io/vsociety/posts/cve-2026-21533-mitigation-script-privilege-escalation-vulnerability-in-windows-remote-desktop
Third Party Advisory
vicarius.io/vsociety/posts/cve-2026-21533-detection-script-privilege-escalation-vulnerability-in-windows-remote-desktop
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21533