Remote Desktop Licensing Service Elevation of Privilege Vulnerability

Plan PatchCVSS 7.8CVE-2026-26160Apr 14, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

The Windows Remote Desktop Licensing Service contains a missing authentication check that allows an authorized local user to escalate to system-level privileges. An attacker with a standard user account can invoke critical functions in the service without proper authentication, gaining the ability to execute arbitrary code with SYSTEM permissions. This affects Windows 10 (all versions), Windows 11 (all versions), Windows Server 2016, 2019, 2022, and 2025.

What this means

What could happen

A user with standard access on a Windows server can run commands with system-level permissions through a flaw in the Remote Desktop Licensing Service, allowing them to take control of the server and potentially disrupt plant operations.

Who's at risk

Windows server operators and IT staff managing environments with Windows 10, Windows 11, Windows Server 2016, 2019, 2022, and 2025 systems. Critical for organizations running SCADA HMIs, data historians, or engineering workstations on Windows Server platforms where standard users have local access.

How it could be exploited

An attacker with a standard user account on a Windows machine sends a specially crafted request to the Remote Desktop Licensing Service, which lacks proper authentication checks. The service executes the request with system privileges, allowing the attacker to escalate from user to administrator level.

Prerequisites

Local user account on the affected Windows system
Remote Desktop Licensing Service must be running

local privilege escalationno authentication required for critical functionlow complexity attackaffects Windows servers commonly used in OT networks

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (27)

27 with fix

ProductAffected VersionsFix Status

Windows 11 Version 26H1 for ARM64-based SystemsAll versionsBuild 10.0.28000.1836

Windows 11 version 26H1 for x64-based SystemsAll versionsBuild 10.0.28000.1836

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8644

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8644

Windows Server 2019All versionsBuild 10.0.17763.8644

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Windows Server 2022

HOTFIXInstall Microsoft April 2026 security update for your Windows version (Build 10.0.28000.1836 for Windows 11 26H1, Build 10.0.20348.5020 for Windows Server 2022, or equivalent for your OS)

Long-term hardening

0/2

HARDENINGRestrict local user account creation and access to only authorized personnel with documented business need

HARDENINGImplement local administrative controls to audit and monitor Remote Desktop Licensing Service access and execution

CVEs (1)

CVE-2026-26160

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/409c3fa0-200a-4caf-8419-932c1616b5cd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.