Remote Desktop Client Remote Code Execution Vulnerability

Plan PatchCVSS 8.8CVE-2026-47653Jun 9, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A heap-based buffer overflow in Remote Desktop Client allows an attacker to execute code over a network. The vulnerability is triggered when a client receives a specially crafted Remote Desktop Protocol (RDP) message. Exploitation is assessed as unlikely, but the vendor has released patches for all affected Windows versions.

What this means

What could happen

A remote attacker could trigger a buffer overflow in the Remote Desktop Client to execute code with the privileges of the connected user, potentially gaining control of the workstation or server.

Who's at risk

IT staff and operators managing Windows servers and workstations that use Remote Desktop Client for system administration. This includes Windows 10, Windows 11, Windows Server 2016, 2019, 2022, and 2025 systems. Water utilities and electric utilities relying on these systems for SCADA, HMI, or engineering workstation management are affected if they use RDP for remote access to control systems.

How it could be exploited

An attacker sends a specially crafted Remote Desktop Protocol (RDP) message to a system running a vulnerable Remote Desktop Client. The client parses the malicious message, triggering a heap buffer overflow that allows the attacker to execute arbitrary code in the context of the RDP client process.

Prerequisites

Network connectivity to the RDP client or RDP server on port 3389 or custom RDP port
User must initiate or maintain an RDP connection to a malicious or compromised RDP server
The receiving system must be running an unpatched version of Windows with the affected Remote Desktop Client component

remotely exploitableno authentication requiredlow complexityaffects administrative systems used to manage OT infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.6%

Affected products (26)

26 with fix

ProductAffected VersionsFix Status

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8880

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8880

Windows Server 2019All versionsBuild 10.0.17763.8880

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8880

Windows Server 2022All versionsBuild 10.0.20348.5256

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict RDP access at the firewall to authorized administrative workstations only; block inbound RDP traffic (port 3389 or custom port) from untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Windows Server 2019

HOTFIXApply the June 2026 security update (or later) for your Windows version: Windows 10 1809 Build 10.0.17763.8880, Windows Server 2019 Build 10.0.17763.8880, Windows 10 21H2 Build 10.0.19044.7417, Windows 10 22H2 Build 10.0.19045.7417, Windows Server 2022 Build 10.0.20348.5256, Windows 11 (all versions per the advisory), Windows Server 2025 Build 10.0.26100.32995, or Windows 10 1607/Server 2016 Build 10.0.14393.9234

Long-term hardening

0/2

HARDENINGDisable RDP on systems that do not require remote access; on Windows Server, disable the Remote Desktop service if not needed for operations

HARDENINGUse network segmentation to isolate RDP traffic; ensure systems running the Remote Desktop Client are on a protected network segment with limited lateral movement paths

CVEs (1)

CVE-2026-47653

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/92b8d0f9-30ca-424f-bcf9-fac425ad24c4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.