Microsoft has released a critical security update addressing CVE-2026-21536, a severe vulnerability affecting multiple Windows products with CVSS score of 9.8.
Microsoft has issued an emergency security update to address CVE-2026-21536, a critical vulnerability affecting multiple Windows operating systems and Microsoft products. The vulnerability, which has been assigned a CVSS score of 9.8 out of 10, allows for remote code execution without authentication, making it particularly dangerous for unpatched systems.
The vulnerability affects Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022. Microsoft has confirmed that the flaw exists in the Windows Remote Desktop Services component, which could allow an unauthenticated attacker to execute arbitrary code on vulnerable systems.
According to Microsoft's security advisory, the vulnerability could be exploited by sending specially crafted requests to the Remote Desktop Gateway service. Successful exploitation would grant attackers the ability to install programs, view, change, or delete data, or create new accounts with full user rights.
Microsoft has released security updates for all affected products through Windows Update and the Microsoft Update Catalog. The company strongly recommends that all customers apply these updates immediately to protect their systems from potential exploitation.
For organizations that cannot immediately apply the patches, Microsoft has provided temporary mitigation steps, including blocking TCP port 3389 on firewalls and disabling Remote Desktop Services if not required. However, these workarounds may impact legitimate business operations that depend on remote desktop functionality.
The vulnerability was discovered by security researchers at a third-party firm who reported it through Microsoft's coordinated vulnerability disclosure program. Microsoft has credited the researchers in its security bulletin and acknowledged their responsible disclosure.
This security update is part of Microsoft's monthly Patch Tuesday release cycle, though the company expedited the release due to the severity of the vulnerability. Organizations are advised to test updates in non-production environments before broad deployment, though the critical nature of this vulnerability may warrant immediate action.
Microsoft has not observed any active exploitation of this vulnerability in the wild, but given the severity and the potential impact, the company is treating this as a high-priority security issue. Customers can verify their protection status through Windows Update or by checking the installed security update version against Microsoft's security bulletin details.
Additional technical details, including affected software versions and specific mitigation guidance, are available in Microsoft's security advisory CVE-2026-21536.
Comments
Please log in or register to join the discussion