OTPulse

Remote Desktop Spoofing Vulnerability

Plan PatchCVSS 7.1CVE-2026-26151Apr 14, 2026
Microsoft
IT in OT - Windows Server and Active Directory are widely deployed in OT environments
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Windows Remote Desktop contains insufficient UI warning of dangerous operations, allowing an attacker to perform spoofing attacks over a network. An attacker could trick a user into connecting to a fraudulent Remote Desktop server without proper warning, potentially capturing credentials or gaining access to the user's workstation. The vulnerability affects Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), Windows Server 2016, 2019, 2022, 2025 across 32-bit, x64, and ARM64 architectures.

What this means
What could happen
An attacker could trick a user into connecting to a fake Remote Desktop Server by spoofing the connection warning, potentially capturing credentials or deploying malware on their workstation. This is a social engineering risk, not a direct threat to plant systems, but could compromise user devices used to manage or access OT systems.
Who's at risk
Windows workstations and servers used by OT engineers, operators, and system administrators for remote management of industrial control systems, SCADA platforms, and PLC networks. This includes Windows 10, Windows 11, Windows Server 2016, 2019, 2022, and 2025 systems in both standard and Server Core installations. Any IT staff using Remote Desktop to access engineering workstations or operator consoles are at risk.
How it could be exploited
An attacker sets up a rogue Remote Desktop server on a network reachable by the target user. When the user attempts to connect to what they believe is a legitimate server, the attacker exploits insufficient UI warnings to hide the spoofing indication, making the fake server appear legitimate. The user enters credentials into the fake server, which are captured by the attacker.
Prerequisites
  • User must initiate a Remote Desktop connection to an attacker-controlled or network-compromised server
  • User must not notice or cannot see the spoofing warning due to UI insufficiency
  • Attacker must be on a network path or have positioned a rogue RDP server where the user might connect
remotely exploitablelow complexityuser interaction requiredaffects workstations used to manage OT systems
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (27)
27 with fix
ProductAffected VersionsFix Status
Windows 11 Version 26H1 for ARM64-based SystemsAll versionsBuild 10.0.28000.1836
Windows 11 version 26H1 for x64-based SystemsAll versionsBuild 10.0.28000.1836
Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8644
Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8644
Windows Server 2019All versionsBuild 10.0.17763.8644
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

Windows Server 2016
HOTFIXApply the April 2026 Microsoft security update to all Windows systems (Windows 10, Windows 11, Windows Server 2016, 2019, 2022, and 2025) used to manage or access OT infrastructure
All products
HARDENINGImplement Network Level Authentication (NLA) on all Remote Desktop configurations to require authentication before the UI is displayed
Long-term hardening
0/2
HARDENINGEducate users who manage OT systems about Remote Desktop spoofing risks and the importance of verifying server certificates and connection warnings before entering credentials
HARDENINGDisable Remote Desktop on systems that do not require it for OT management, or restrict RDP access to authorized management networks only via firewall rules
View full vendor advisory
API: /api/v1/advisories/020098e6-0cfb-441b-9d84-a31ef24d40a7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.