Remote Desktop Client Remote Code Execution Vulnerability

Plan PatchCVSS 8.8CVE-2026-32157Apr 14, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A use-after-free vulnerability in the Remote Desktop Client allows an attacker to execute code over a network. An attacker can send a specially crafted RDP message to trigger the flaw. If a user interacts with the RDP client (such as connecting to an attacker-controlled RDP server), the attacker can execute arbitrary code with the user's privileges. The vulnerability affects Remote Desktop Client on all supported Windows 10, Windows 11, and Windows Server 2016–2025 platforms (32-bit, x64, and ARM64 architectures).

What this means

What could happen

An attacker could execute arbitrary code on your Windows workstations or servers through the Remote Desktop Client, potentially taking control of engineering workstations, HMI systems, or historian servers that are exposed to untrusted networks.

Who's at risk

IT and OT operations staff should care about this vulnerability. It affects all supported versions of Windows 10, Windows 11, and Windows Server 2016–2025. Organizations using Windows-based engineering workstations, HMI systems, data historians, or remote administration servers that connect via RDP are at risk, especially if those systems have network visibility from outside your control.

How it could be exploited

An attacker would send a specially crafted Remote Desktop Protocol (RDP) message to the Remote Desktop Client. If user interaction (clicking, opening a file, or connecting to a malicious RDP server) occurs, the client processes the malicious message and the vulnerability in the RDP code is triggered, allowing code execution with the user's privileges.

Prerequisites

Network access to a Windows machine running Remote Desktop Client
User must interact with the RDP client (e.g., accept a connection to a malicious RDP server or open a file)
Target machine must be running a vulnerable version of Windows with RDP enabled

remotely exploitableuser interaction requiredaffects engineering workstations and remote administrationhigh CVSS score (8.8)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (27)

27 with fix

ProductAffected VersionsFix Status

Windows 11 Version 26H1 for ARM64-based SystemsAll versionsBuild 10.0.28000.1836

Windows 11 version 26H1 for x64-based SystemsAll versionsBuild 10.0.28000.1836

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8644

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8644

Windows Server 2019All versionsBuild 10.0.17763.8644

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict outbound RDP connections from critical OT systems to approved RDP servers only using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Windows Server 2016

HOTFIXApply the April 2026 Microsoft security update to all Windows 10, Windows 11, Windows Server 2016, 2019, 2022, and 2025 systems

All products

HOTFIXPrioritize patching for any Windows machines that host HMI, SCADA, or engineering workstations exposed to untrusted networks

Long-term hardening

0/1

HARDENINGDisable RDP on systems that do not require remote access, or restrict RDP listening to internal networks only

CVEs (1)

CVE-2026-32157

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/94a5550c-caf9-42d4-9e15-16cd25617da2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.