Windows Remote Desktop Services Elevation of Privilege Vulnerability

Plan PatchCVSS 7.8CVE-2026-40398May 12, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A heap-based buffer overflow in Windows Remote Desktop Services allows an authorized local user to elevate privileges. An attacker with a valid local account can exploit this to gain full administrative rights on the affected system.

What this means

What could happen

A logged-in user on a Windows machine can exploit this vulnerability to gain full administrative control of the system, potentially allowing them to alter SCADA software, modify control logic, or disable monitoring systems on your OT network.

Who's at risk

Any organization running Windows 10, Windows 11, Windows Server 2016, 2019, 2022, or 2025 in an OT environment. This is particularly concerning if engineering workstations or gateway servers running Windows are connected to your network and used to access PLCs, HMIs, or historians.

How it could be exploited

An attacker who is already logged into a Windows machine (with a local user account) could trigger a heap buffer overflow in Remote Desktop Services to execute code with administrator privileges. This local privilege escalation could then be used to compromise downstream OT systems or lateral-move across your network.

Prerequisites

Valid local user account on the Windows machine
Windows Remote Desktop Services enabled and accessible
Affected Windows OS version installed

Local privilege escalationLow complexity attackRequires valid local credentialsAffects multiple Windows versions across OT-critical platforms

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (27)

27 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8755

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8755

Windows Server 2019All versionsBuild 10.0.17763.8755

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8755

Windows Server 2022All versionsBuild 10.0.20348.5139

Remediation & Mitigation

0/2

Do now

0/1

WORKAROUNDIf immediate patching is not possible, restrict local login access to Windows systems to authorized personnel only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply Microsoft May 2026 security update to all affected Windows systems

CVEs (1)

CVE-2026-40398

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/01905108-0a73-4c0d-b687-8fd6f4c2b209

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.