Remote Desktop Licensing Service Elevation of Privilege Vulnerability
Plan PatchCVSS 7.8CVE-2026-26159Apr 14, 2026
Microsoft
IT in OT - Windows Server and Active Directory are widely deployed in OT environments
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
A missing authentication check in the Windows Remote Desktop Licensing Service allows a local user with valid credentials to escalate privileges to SYSTEM level. The vulnerability exists in Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), Windows Server 2016, 2019, 2022, 2025, and Server Core installations of these products. Exploitation is assessed as less likely and requires the attacker to already have local access or be able to authenticate to the system.
What this means
What could happen
An attacker with a local user account on a Windows Server or Windows 10/11 machine can exploit a missing authentication check in the Remote Desktop Licensing Service to gain system administrator privileges, allowing them to control the entire server and any connected systems.
Who's at risk
Windows Servers (2016, 2019, 2022, 2025) and Windows client machines (10 and 11) running Remote Desktop Licensing Service are affected. This impacts organizations using Remote Desktop for system administration or terminal services access, including utilities managing SCADA workstations or engineering stations remotely. Any Server Core installations using RDP are also at risk.
How it could be exploited
An attacker with local access and a valid user account on the Windows machine exploits a missing authentication check in the Remote Desktop Licensing Service component to bypass privilege checks and execute commands as SYSTEM. The attack does not require special network access—only the ability to log in locally or through Remote Desktop.
Prerequisites
- Valid local user account or Remote Desktop access to the Windows system
- Local code execution capability or interactive logon session
- Remote Desktop Licensing Service running (default on most Windows Server installations)
Low complexity attackRequires valid local credentialsAffects widely deployed Windows systemsPrivilege escalation to SYSTEM level
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (27)
27 with fix
ProductAffected VersionsFix Status
Remediation & Mitigation
0/10
Do now
0/1HARDENINGRestrict local logon and Remote Desktop access to trusted administrative personnel only
Schedule — requires maintenance window
0/9Patching may require device reboot — plan for process interruption
Windows Server 2019
HOTFIXUpdate Windows Server 2019 to Build 10.0.17763.8644 or later
Windows Server 2022
HOTFIXUpdate Windows Server 2022 to Build 10.0.20348.5020 or later
Windows Server 2016
HOTFIXUpdate Windows Server 2016 to Build 10.0.14393.9060 or later
Windows Server 2025
HOTFIXUpdate Windows Server 2025 to Build 10.0.26100.32690 or later
All products
HOTFIXUpdate Windows 10 Version 1809 (32-bit) to Build 10.0.17763.8644 or later
HOTFIXUpdate Windows 10 Version 1809 (x64) to Build 10.0.17763.8644 or later
HOTFIXUpdate Windows 10 Version 21H2 to Build 10.0.19044.7184 or later
HOTFIXUpdate Windows 10 Version 22H2 to Build 10.0.19045.7184 or later
HOTFIXUpdate Windows 11 (all versions) to the latest available build for your version
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/1f5ba123-432e-4ad4-9711-efc6702c3671Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.