Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Plan PatchCVSS 7.5CVE-2026-45639Jun 9, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An out-of-bounds read vulnerability in Windows Remote Desktop Protocol (RDP) allows an unauthenticated attacker to read sensitive data from system memory over the network. The vulnerability affects Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), and Windows Server (2016, 2019, 2022, 2025). An attacker can send a malformed RDP packet to trigger the out-of-bounds read and extract confidential information such as credentials or encryption keys without any authentication. Microsoft has released a fix in the June 2026 security update.

What this means

What could happen

An attacker who can reach your RDP service over the network could read sensitive memory data from your Windows system without any credentials, potentially exposing passwords, encryption keys, or configuration secrets.

Who's at risk

All organizations using Windows 10, Windows 11, or Windows Server (2016 through 2025) with RDP enabled should care about this. This includes remote desktop access for engineering workstations, HMI servers, and domain controllers. Utilities with remote administration capabilities or VPN access for operators and engineers are at risk if their Windows systems are not patched.

How it could be exploited

An attacker sends a specially crafted network packet to your RDP service (port 3389). The Windows RDP driver incorrectly reads memory beyond the intended buffer boundaries and returns the data in the RDP response. The attacker repeats this to extract sensitive information from system memory.

Prerequisites

Network access to TCP port 3389 (RDP)
RDP service enabled on the target Windows system
No authentication required to trigger the vulnerability

remotely exploitableno authentication requiredlow complexityinformation disclosure can expose operational secrets

Exploitability

Unlikely to be exploited — EPSS score 0.9%

Affected products (26)

26 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8880

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8880

Windows Server 2019All versionsBuild 10.0.17763.8880

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8880

Windows Server 2022All versionsBuild 10.0.20348.5256

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict RDP network access (TCP port 3389) to only authorized administrative networks or VPN subnets using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Windows Server 2016

HOTFIXInstall the June 2026 Windows security update on all affected systems (Windows 10 Version 1809, 21H2, 22H2; Windows 11 Version 23H2, 24H2, 25H2, 26H1; Windows Server 2016, 2019, 2022, 2025)

Long-term hardening

0/2

HARDENINGDisable RDP on systems that do not require remote administration

HARDENINGMove RDP to a non-standard port and restrict access via a bastion host or jump box if remote access is required

CVEs (1)

CVE-2026-45639

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/22e217ba-2d5c-470b-8251-7e54e0c9fa7d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.