Fixing and finding
Jump to remediation plan
CVE ID

CVE-2026-21533

Published 2026-02-10
Updated last month
Vendor/s
Microsoft
Product/s
Windows
Version/s
* > 10.0.14393.8868
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
7.8
/ 10
High
Severity Details
Base score
7.8 High
Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Description

CVE-2026-21533 is a high-severity (CVSS 7.8) privilege escalation vulnerability in Windows Remote Desktop currently under active exploitation.

CPE

Microsoft logo
Microsoft
Product Version Start Version End (excl.) Status
windows_10_1607 * 10.0.14393.8868 vulnerable
windows_10_1607 * 10.0.14393.8868 vulnerable
windows_10_1809 * 10.0.17763.8389 vulnerable
windows_10_1809 * 10.0.17763.8389 vulnerable
windows_10_21h2 * 10.0.19044.6937 vulnerable
windows_10_21h2 * 10.0.19044.6937 vulnerable
windows_10_21h2 * 10.0.19044.6937 vulnerable
windows_10_22h2 * 10.0.19045.6937 vulnerable
windows_10_22h2 * 10.0.19045.6937 vulnerable
windows_10_22h2 * 10.0.19045.6937 vulnerable
windows_11_23h2 * 10.0.22631.6649 vulnerable
windows_11_23h2 * 10.0.22631.6649 vulnerable
windows_11_24h2 * 10.0.26100.7781 vulnerable
windows_11_24h2 * 10.0.26100.7781 vulnerable
windows_11_25h2 * 10.0.26200.7781 vulnerable
windows_11_25h2 * 10.0.26200.7781 vulnerable
windows_server_2012 - - vulnerable
windows_server_2012 r2 r2 vulnerable
windows_server_2016 * 10.0.14393.8868 vulnerable
windows_server_2019 * 10.0.17763.8389 vulnerable
windows_server_2022 * 10.0.20348.4711 vulnerable
windows_server_2022_23h2 * 10.0.25398.2149 vulnerable
windows_server_2025 * 10.0.26100.32313 vulnerable

Related weakness (CWE)

CWE-269

Remediation plan

1

Apply official patches

Immediately deploy the security updates provided by Microsoft in the latest cumulative update cycle to address the improper privilege management in the Remote Desktop service.

2

Update affected systems

Verify that systems are running versions higher than the vulnerable thresholds, such as Windows 11 24H2 (10.0.26100.7781), Windows 10 22H2 (10.0.19045.6937), or Windows Server 2025 (10.0.26100.32313).

3

Restrict access

Enforce the principle of least privilege by limiting RDP access to authorized administrative users only and disabling Remote Desktop Services on workstations where it is not business-essential.

4

Monitor for exploitation

Configure advanced auditing to track privilege escalation events and monitor for suspicious activity originating from the Remote Desktop Service process (termsrv.dll).

Detection Guidance

Detection should focus on identifying unusual privilege transitions. Monitor Windows Security Logs for Event ID 4672 (Special privileges assigned to new logon) and Event ID 4688 (Process Creation) where the parent process is the Remote Desktop Service. Use EDR tools to detect anomalous child processes spawned by svchost.exe (hosting TermService). Additionally, watch for unauthorized modifications to the Terminal Server registry keys and unexpected account additions to the 'Remote Desktop Users' or 'Administrators' groups.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21533 Vendor Advisory https://www.vicarius.io/vsociety/posts/cve-2026-21533-detection-script-privilege-escalation-vulnerability-in-windows-remote-desktop Third Party Advisory https://www.vicarius.io/vsociety/posts/cve-2026-21533-mitigation-script-privilege-escalation-vulnerability-in-windows-remote-desktop Mitigation Third Party Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21533 US Government Resource

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial