Microsoft has issued an emergency security update to address CVE-2026-3937, a critical vulnerability affecting Windows systems with CVSS score 9.8.
Microsoft Addresses Critical Windows Vulnerability CVE-2026-3937
Microsoft has released an emergency security update to address CVE-2026-3937, a critical vulnerability affecting Windows operating systems. The vulnerability, which carries a CVSS score of 9.8 out of 10, allows remote code execution without authentication.
Vulnerability Details
The flaw exists in the Windows Remote Desktop Services component, where improper input validation could allow an unauthenticated attacker to execute arbitrary code on affected systems. Attackers could exploit this vulnerability by sending specially crafted requests to the Remote Desktop Gateway service.
Affected Products
According to Microsoft's security advisory, the following products are affected:
- Windows 10 (all versions)
- Windows 11 (all versions)
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
Severity and Risk
With a CVSS v3.1 base score of 9.8 (Critical), this vulnerability poses an extremely high risk to organizations. The attack vector is network-based, and the complexity is low, meaning attackers could exploit it without significant skill or resources.
Mitigation Steps
Microsoft recommends immediate action:
- Apply Updates Immediately: Install the latest security patches through Windows Update
- Enable Automatic Updates: Ensure automatic updates are configured on all systems
- Network Segmentation: Isolate Remote Desktop services from direct internet exposure
- Monitor for Suspicious Activity: Watch for unusual Remote Desktop Gateway connections
Timeline
Microsoft released the security update on April 14, 2026, following responsible disclosure to affected parties. The company coordinated with security researchers who discovered the vulnerability in March 2026.
Additional Resources
- Microsoft Security Advisory CVE-2026-3937
- Windows Update Catalog
- Microsoft Defender Security Updates
Organizations are strongly urged to prioritize patching systems running affected versions of Windows, particularly those with Remote Desktop Services exposed to the internet.
Comments
Please log in or register to join the discussion