Remote Desktop Client Remote Code Execution Vulnerability
Plan PatchCVSS 7.5CVE-2026-48563Jun 9, 2026
Microsoft
IT in OT - Windows Server and Active Directory are widely deployed in OT environments
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary
A heap-based buffer overflow vulnerability in Remote Desktop Client allows an attacker to execute arbitrary code over the network by sending a specially crafted RDP connection. The vulnerability affects Windows 10 (versions 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), Windows Server 2019, 2022, and 2025 across multiple architectures. Exploitation requires network access to RDP and may require user interaction to process the malicious connection.
What this means
What could happen
An attacker could execute arbitrary code on a Windows system running Remote Desktop Client by sending a specially crafted RDP connection, potentially compromising any workstation or server that accepts RDP connections.
Who's at risk
IT staff and industrial organizations using Windows 10, Windows 11, or Windows Server 2019/2022/2025 systems with Remote Desktop Client enabled. This affects engineering workstations, administrative consoles, and any remote access servers used to manage plant networks or control systems infrastructure.
How it could be exploited
An attacker sends a malicious RDP connection packet to a Windows system with Remote Desktop Client enabled. The heap buffer overflow in the RDP client code is triggered during connection negotiation, allowing the attacker to overwrite memory and execute arbitrary code with the privileges of the RDP client process.
Prerequisites
- Network access to RDP port (typically 3389) on the target system
- Remote Desktop Client service must be enabled or the user must initiate an RDP connection to an attacker-controlled server
- User interaction may be required to accept or process the malicious connection
remotely exploitablenetwork access requireduser interaction may be requiredaffects remote access infrastructure used in OT environments
Exploitability
Unlikely to be exploited — EPSS score 0.5%
Affected products (22)
22 with fix
ProductAffected VersionsFix Status
Remediation & Mitigation
0/10
Do now
0/2WORKAROUNDRestrict RDP access through firewall rules to limit inbound connections on port 3389 to trusted management networks only
HARDENINGDisable Remote Desktop on systems that do not require it
Schedule — requires maintenance window
0/8Patching may require device reboot — plan for process interruption
Windows Server 2019
HOTFIXUpdate Windows Server 2019 and Server Core to Build 10.0.17763.8880 or later
Windows Server 2022
HOTFIXUpdate Windows Server 2022 and Server Core to Build 10.0.20348.5256 or later
Windows Server 2025
HOTFIXUpdate Windows Server 2025 and Server Core to Build 10.0.26100.32995 or later
All products
HOTFIXUpdate Windows 10 Version 1809 (32-bit and x64) to Build 10.0.17763.8880 or later
HOTFIXUpdate Windows 10 Version 21H2 (all architectures) to Build 10.0.19044.7417 or later
HOTFIXUpdate Windows 10 Version 22H2 (all architectures) to Build 10.0.19045.7417 or later
HOTFIXUpdate Windows 11 Version 23H2 (all architectures) to Build 10.0.22631.7219 or later
HOTFIXUpdate Windows 11 Version 24H2 and 25H2 (all architectures) to their respective June 2026 security updates (Build 10.0.26100 or later)
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/bc398293-bd18-494f-b14d-a167ec6cd781Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.