Microsoft has issued a critical security update addressing CVE-2026-21713, a severe vulnerability affecting multiple Windows versions. Users must apply patches immediately to prevent potential exploitation.
Microsoft has released an emergency security update to address CVE-2026-21713, a critical vulnerability rated 9.8/10 on the CVSS scale. The flaw affects Windows 10, Windows 11, and Windows Server 2019/2022 systems running specific versions of Microsoft's Remote Desktop Services.
The vulnerability allows remote code execution without authentication, meaning attackers can compromise systems without needing valid credentials. Microsoft reports the flaw is being actively exploited in the wild, with initial reports indicating targeted attacks against enterprise environments.
Affected Products and Versions
- Windows 10 versions 1809 through 22H2
- Windows 11 versions 21H2 and 22H2
- Windows Server 2019 (all versions)
- Windows Server 2022 (all versions)
Systems running Windows 10 version 1507, 1511, and Windows 8.1 are not affected. Microsoft has also confirmed that Windows Server 2016 remains unaffected by this specific vulnerability.
Technical Details
The vulnerability exists in the Remote Desktop Gateway component, where improper input validation allows specially crafted packets to trigger buffer overflow conditions. Successful exploitation grants attackers SYSTEM-level privileges, enabling complete control over affected systems.
Microsoft's advisory notes that the attack requires no user interaction beyond the initial network connection. Attackers can deploy malware, steal credentials, or pivot to other systems within the network once access is obtained.
Mitigation Steps
- Immediate Action: Apply the security update through Windows Update or download directly from Microsoft's Catalog
- Temporary Workaround: Disable Remote Desktop Gateway services if not required for business operations
- Network Protection: Implement network segmentation to isolate affected systems
- Monitoring: Enable enhanced logging for Remote Desktop Services to detect suspicious activity
Update Timeline
- March 11, 2026: Microsoft released security advisory
- March 12, 2026: First public exploitation reports emerged
- March 13, 2026: Emergency patch deployment begins
- March 15, 2026: All supported versions receive updates
Additional Resources
Organizations with large-scale deployments should prioritize testing and deployment, as the critical nature of this vulnerability warrants immediate attention despite potential compatibility concerns with existing infrastructure.
Comments
Please log in or register to join the discussion