Windows Remote Desktop Services 0-Day Vulnerability Exploited in the Wild to Escalate Privileges
Microsoft has patched CVE-2026-21533, a zero-day elevation of privilege vulnerability in Windows Remote Desktop Services (RDS) that attackers are exploiting in the wild to gain SYSTEM-level access.
The flaw stems from improper privilege management and was addressed in the February 2026 Patch Tuesday updates released on February 10.
CVE-2026-21533 carries a CVSS v3.1 base score of 7.8 (High), with a local attack vector, low complexity, and low privileges required. It requires no user interaction and affects the unchanged scope, impacting confidentiality, integrity, and availability at high levels. Microsoft classifies it as “Important,” noting that exploitation is functional with an official fix available.
The vulnerability arises from flawed privilege handling in RDS components. CrowdStrike observed an exploit binary that modifies a service configuration registry key, substituting it with an attacker-controlled one.
This alteration enables privilege escalation, such as adding a new user to the Administrators group, granting full SYSTEM privileges. Attackers need initial low-privileged local access, making it ideal for post-exploitation in RDP environments.
Adam Meyers, CrowdStrike’s Head of Counter Adversary Operations, warned: “Threat actors possessing the exploit binaries will likely accelerate their attempts to use or sell CVE-2026-21533 in the near term.” No specific adversary attribution exists yet, but RDS systems are prime lateral movement targets.
Affected Systems
The flaw impacts numerous Windows versions, primarily servers with RDS enabled.
Product KB Article Build Number Windows Server 2025 KB5075899, KB5075942 10.0.26100.32370 Windows 11 24H2 (x64/ARM64) KB5077181, KB5077212 10.0.26100.7840 Windows Server 2022 KB5075906, KB5075943 10.0.20348.4773 Windows 11 23H2 (x64/ARM64) KB5075941 10.0.22631.6649 Windows Server 2019 KB5075904 10.0.17763.8389 Windows 10 22H2 (various) KB5075912 10.0.19045.6937 Windows Server 2016 KB5075999 10.0.14393.8868 Windows Server 2012 R2 KB5075970 6.3.9600.23022
Additional versions include Windows Server 2012, Windows 10 21H2/1607/1809, and Windows 11 25H2/26H1.
Microsoft urges immediate deployment of the Monthly Rollup or Security Updates via Windows Update or the Microsoft Update Catalog. For Server Core installs, targeted KBs ensure compatibility. Verify builds post-installation, e.g., 10.0.26100.32370 for Windows Server 2025.
Mitigation Steps
Disable RDS if unused; restrict to trusted networks.
Enforce least privilege; monitor registry changes in RDS services.
Deploy EDR for anomalous privilege escalations.
Test patches in staging environments due to RDS sensitivity.
This zero-day highlights ongoing risks in legacy Windows deployments amid Patch Tuesday’s 55 flaws , including five other exploited issues. Organizations should prioritize RDS hardening to curb post-breach escalation.
Follow us on Google News , LinkedIn , and X for daily cybersecurity updates. Contact us to feature your stories.
The post Windows Remote Desktop Services 0-Day Vulnerability Exploited in the Wild to Escalate Privileges appeared first on Cyber Security News .