Microsoft has issued an emergency security update to address CVE-2026-26124, a critical vulnerability affecting multiple Windows versions that could allow remote code execution.
Microsoft has released a critical security update to address CVE-2026-26124, a high-severity vulnerability that affects multiple versions of the Windows operating system. The vulnerability, which carries a CVSS score of 9.8, could allow remote attackers to execute arbitrary code on affected systems.
The vulnerability exists in the Windows Remote Desktop Services component and can be exploited without authentication. An attacker could leverage this flaw to gain complete control over an affected system, potentially leading to data theft, system compromise, or lateral movement within corporate networks.
Affected Products
According to Microsoft's Security Update Guide, the following products are affected:
- Windows 10 (all versions)
- Windows 11 (all versions)
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025 (Preview)
Severity and Risk
The vulnerability is classified as "Critical" by Microsoft due to the potential for remote code execution without requiring user interaction. Organizations with exposed Remote Desktop Services endpoints are particularly at risk.
Mitigation Steps
Microsoft recommends the following immediate actions:
- Apply the security update immediately - The update is available through Windows Update and Microsoft Update Catalog
- Block TCP port 3389 at network boundaries if Remote Desktop Services are not required
- Implement Network Level Authentication (NLA) for Remote Desktop connections
- Monitor for suspicious RDP activity in security logs
Update Availability
The security update is being released through the following channels:
- Windows Update - Automatic delivery for systems with automatic updates enabled
- Microsoft Update Catalog - Manual download available for enterprise environments
- WSUS - Available for organizations using Windows Server Update Services
The update addresses the vulnerability by implementing additional validation checks in the Remote Desktop Services component.
Timeline
Microsoft released the security advisory on March 11, 2026, with the security update following on March 14, 2026. The company credits the vulnerability discovery to researchers at [redacted] security firm.
Additional Resources
Organizations are strongly encouraged to prioritize the deployment of this security update, particularly for systems exposed to the internet or operating in untrusted network environments.
Comments
Please log in or register to join the discussion