Microsoft has issued an emergency security update to address CVE-2026-21710, a critical vulnerability affecting multiple Windows versions. The flaw allows remote code execution without authentication.
Microsoft has released a critical security update to address CVE-2026-21710, a severe vulnerability in Windows operating systems that could allow attackers to execute arbitrary code remotely without requiring authentication.
The vulnerability affects Windows 10 version 1809 and later, Windows Server 2019 and 2022, and Windows 11. Microsoft rates the severity as "Critical" with a CVSS score of 9.8 out of 10.
Technical Details
The flaw exists in the Windows Remote Desktop Services component, specifically in how it handles certain authentication packets. An unauthenticated attacker could exploit this vulnerability by sending specially crafted packets to a targeted system, potentially gaining complete control over the affected machine.
Successful exploitation could allow an attacker to install programs, view, change, or delete data, or create new accounts with full user rights. The vulnerability is particularly dangerous because it requires no user interaction and can be exploited over the network.
Affected Products
- Windows 10 version 1809 through 22H2
- Windows 11 version 21H2 and 22H2
- Windows Server 2019 and 2022
- Windows Server version 1809 through 22H2
Mitigation Steps
Microsoft recommends immediate action:
- Apply the security update immediately through Windows Update
- Enable automatic updates if not already configured
- For systems where immediate patching isn't possible, disable Remote Desktop Services temporarily
- Review network access controls to limit exposure
Timeline
Microsoft became aware of the vulnerability on March 15, 2026, through coordinated disclosure from a security researcher. The company developed a patch within 72 hours and began rolling out the update on March 18, 2026.
The update is available through Windows Update and Microsoft Update Catalog. Enterprise customers can also obtain the patches through WSUS and SCCM.
Additional Guidance
Organizations should prioritize patching systems that are exposed to the internet or have Remote Desktop Services enabled. Microsoft recommends conducting post-patch verification to ensure successful deployment across all affected systems.
For detailed technical information, including patch deployment guides and security advisories, visit the Microsoft Security Update Guide.
Comments
Please log in or register to join the discussion