“`html
Microsoft has rectified CVE-2026-21533, a zero-day privilege elevation flaw in Windows Remote Desktop Services (RDS) that malicious actors are utilizing in the wild to acquire SYSTEM-level entry.
This defect originates from inadequate privilege management and was resolved in the February 2026 Patch Tuesday updates released on February 10.
CVE-2026-21533 holds a CVSS v3.1 base rating of 7.8 (High), featuring a local attack vector, low complexity, and minimal privileges needed. No user interaction is necessary, and it impacts the unchanged scope, affecting confidentiality, integrity, and availability significantly. Microsoft categorizes it as “Important,” indicating that exploitation is viable despite an official remedy being accessible.
The vulnerability emerges from erroneous privilege management within RDS components. CrowdStrike noted an exploit binary that alters a service configuration registry key, replacing it with one controlled by the attacker.
This modification facilitates privilege escalation, allowing for the addition of a new user to the Administrators group, which bestows complete SYSTEM privileges. Attackers only require initial low-privileged local access, rendering it optimal for post-exploitation in RDP situations.
Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, cautioned: “Threat actors possessing the exploit binaries will likely hasten their attempts to exploit or trade CVE-2026-21533 in the imminent future.” There is currently no specific adversary attribution, but RDS systems represent prime lateral movement objectives.
Affected Systems
This flaw affects numerous Windows iterations, primarily servers with RDS activated.
| Product | KB Article | Build Number |
|---|---|---|
| Windows Server 2025 | KB5075899, KB5075942 | 10.0.26100.32370 |
| Windows 11 24H2 (x64/ARM64) | KB5077181, KB5077212 | 10.0.26100.7840 |
| Windows Server 2022 | KB5075906, KB5075943 | 10.0.20348.4773 |
| Windows 11 23H2 (x64/ARM64) | KB5075941 | 10.0.22631.6649 |
| Windows Server 2019 | KB5075904 | 10.0.17763.8389 |
| Windows 10 22H2 (various) | KB5075912 | 10.0.19045.6937 |
| Windows Server 2016 | KB5075999 | 10.0.14393.8868 |
| Windows Server 2012 R2 | KB5075970 | 6.3.9600.23022 |
Other versions affected include Windows Server 2012, Windows 10 21H2/1607/1809, and Windows 11 25H2/26H1.
Microsoft urges the immediate implementation of the Monthly Rollup or Security Updates through Windows Update or the Microsoft Update Catalog. For Server Core installations, targeted KBs ensure compatibility. Validate builds post-installation, such as 10.0.26100.32370 for Windows Server 2025.
Mitigation Steps
- Disable RDS if not in use; limit to trusted networks.
- Implement least privilege; observe registry modifications in RDS services.
- Utilize EDR for abnormal privilege escalations.
- Test patches in staging setups due to RDS sensitivity.
This zero-day underscores the continuing dangers in legacy Windows deployments amid Patch Tuesday’s 55 vulnerabilities, which include five other exploited concerns. Organizations should prioritize RDS fortification to prevent post-breach elevation.
“`