CVE-2026-21533 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-02-10

Added to CISA KEV: 2026-02-10 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review RDP logs, check for unauthorized privilege escalations, verify administrator account integrity
Apply security updates immediately for all affected Windows systems with RDP enabled
Audit RDP access logs for suspicious authentication and privilege escalation attempts
Consider implementing RDP gateway solutions instead of direct internet exposure
Enable RDP network level authentication and restrict RDP access to specific user groups
Monitor for unusual administrative activity following RDP sessions

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2026-21533 is a security vulnerability involving improper privilege management within Windows Remote Desktop Services (RDS)?id=CVE-2026-21533?kagi_q=CVE-2026-21533. It was disclosed and patched by Microsoft in February 2026 ^[6].

Vulnerability Overview

Impact: Successful exploitation allows an authorized, local attacker to escalate their privileges to `SYSTEM` level ^[4] ^[2].
Attack Method: The vulnerability is a local privilege escalation (LPE) technique. Exploitation involves modifying a service configuration key, replacing it with an attacker-controlled key to achieve elevated execution ^[5].
Requirements: The attacker must already have local access to the system and be an authorized user to initiate the exploit ^[4]. It is considered a post-initial-access technique often used to move laterally or deepen control after gaining a foothold ^[3].

Exploitation and Threat Landscape

Active Exploitation: While initially identified as a zero-day vulnerability, it has been observed in the wild as part of attack chains, particularly those involving compromised RDP sessions ^[7] ^[3].
Ransomware and Targeted Attacks: Security reports indicate that the ability to escalate to `SYSTEM` with minimal effort makes this vulnerability highly attractive for ransomware operators and actors conducting internal, targeted attacks to gain full control over compromised machines ^[2].
Exploit Availability: There have been reports of exploit code or techniques being offered for sale in underground forums following its disclosure ^[3].

Mitigation and Patch Status

Patch Status: Microsoft released a security update to address this vulnerability in February 2026. Organizations are advised to apply the relevant MSRC security updates immediately ^[1].
Mitigation: If patching is not immediately possible, security guidance suggests restricting RDP access to trusted networks, implementing network segmentation, or placing RDP services behind a secure gateway to limit the potential for unauthorized local access ^[1].

Sources

CVE-2026-21533 - Vulnerability Details - OpenCVE
OpenCVE Recommended Actions Apply the Microsoft security update released for CVE‑2026‑21533 as detailed on the MSRC update guide. If patching cannot be performed immediately, restrict Remote Desktop access to trusted networks, consider network segmentation or placing RDP behind a gateway to reduce e…
CVE-2026-21533 - How Windows Remote Desktop's Privilege Flaw Lets ...
CVE-2026-21533 is a worrying reminder that even after decades, privilege management bugs still surface in complex protocols like Remote Desktop. If a local user can become SYSTEM with minimal effort, it makes ransomware and internal attacks much easier.
THREAT INTELLIGENCE REPORT Windows Remote Desktop ...
CVE-2026-21533 is a post-initial-access privilege escalation technique. It fits into common attack chains involving RDP exposure. MITRE ATT&CK ...
CVE-2026-21533 Detail - NVD
Description. Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate privileges locally. Metrics. CVSS Version 4.0 ... This is a potential security issue, you are being redirected to https://nvd.nist.gov…
Microsoft patches RDS 0-Day Vulnerability CVE-2026-21533
Microsoft has patched CVE-2026-21533, a zero-day elevation of privilege vulnerability in Windows Remote Desktop Services (RDS) that attackers ...
February 2026 Patch Tuesday: Updates and Analysis | CrowdStrike
The CVE-2026-21533 exploit binary modifies a service configuration key, replacing it with an attacker-controlled key, which could enable ...
Windows Remote Desktop Services 0-Day Vulnerability Exposed for ...
CVE-2026-21533 is a zero-day vulnerability with a CVSS score of 7.8. Exploitation of this flaw allows attackers to escalate privileges without ...