OTPulse

Remote Desktop Client Remote Code Execution Vulnerability

Plan PatchCVSS 7.5CVE-2026-47654Jun 9, 2026
Microsoft
IT in OT - Windows Server and Active Directory are widely deployed in OT environments
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary

Heap-based buffer overflow in Remote Desktop Client allows an attacker to execute arbitrary code over a network. The vulnerability is triggered when a specially crafted network request is sent to a system running Remote Desktop services. All versions of Windows Server 2016, 2019, 2022, and 2025 are affected.

What this means
What could happen
An attacker could execute arbitrary code on a Windows Server running Remote Desktop services, potentially allowing them to take control of the server and any systems it manages or monitors. This could disrupt operations or compromise critical systems on your network.
Who's at risk
Windows Server administrators managing Windows Server 2016, 2019, 2022, and 2025 systems, particularly those used for remote management of water treatment plants, power generation facilities, or other critical infrastructure control systems. Any server using Remote Desktop for administrative access is at risk.
How it could be exploited
An attacker sends a specially crafted network request to the Remote Desktop service (port 3389). The Remote Desktop Client processes the request, triggering a heap buffer overflow. This overflow allows the attacker to execute arbitrary code with the privileges of the Remote Desktop service.
Prerequisites
  • Network access to port 3389 (Remote Desktop)
  • User interaction: the Remote Desktop Client must process the malicious input (typically requires a user to connect or be actively connected)
  • Remote Desktop service must be enabled on the target server
remotely exploitablerequires user interactionhigh CVSS score (7.5)affects server infrastructure used for OT management
Exploitability
Unlikely to be exploited — EPSS score 0.5%
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
Windows Server 2019All versionsBuild 10.0.17763.8880
Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8880
Windows Server 2022All versionsBuild 10.0.20348.5256
Windows Server 2022 (Server Core installation)All versionsBuild 10.0.20348.5256
Windows Server 2025 (Server Core installation)All versionsBuild 10.0.26100.32995
Windows Server 2025All versionsBuild 10.0.26100.32995
Windows Server 2016All versionsBuild 10.0.14393.9234
Windows Server 2016 (Server Core installation)All versionsBuild 10.0.14393.9234
Remediation & Mitigation
0/3
Do now
0/1
WORKAROUNDRestrict network access to port 3389 (Remote Desktop) to only authorized management workstations and networks using firewall rules
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

Windows Server 2016
HOTFIXApply the 2026-Jun security update from Microsoft to all Windows Server 2016, 2019, 2022, and 2025 systems
All products
HARDENINGDisable Remote Desktop service on servers that do not require it for operations or management
View full vendor advisory
API: /api/v1/advisories/47ae0dae-e999-4fbe-99dc-1cbfa6caab94

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.