On 10 February 2026, as part of that month’s Patch Tuesday, Microsoft fixed CVE-2026-21533, a privilege-escalation vulnerability in Windows Remote Desktop Services (RDS). It was already under active exploitation when the patch shipped, which makes it a zero-day: attackers were using it in real-world attacks before an official fix existed.
What the vulnerability is
The flaw is classified under CWE-269 (improper privilege management). The root cause is how Windows Remote Desktop Services handles the service configuration stored in the Windows registry. A local, low-privileged attacker can change the registry keys that govern the RDS configuration to add users to the Administrators group and, from there, climb to SYSTEM, the highest level of control over the operating system.
Microsoft assigns this vulnerability a CVSS score of 7.8, rated high severity. The nuance matters. This is not a remote-code-execution flaw that lets someone break into a machine from the internet. It requires the attacker to already have local, low-privileged access to the system. Its value sits in the post-exploitation phase: once inside with a limited account, it lets an attacker seize full control of the server.
Who is affected
The vulnerability affects Windows systems with the Remote Desktop Services role enabled, especially Windows Server environments where RDS handles remote sessions, virtual desktops, or published applications. These servers make tempting targets: they tend to be multi-user, concentrate many sessions, and grant access to plenty of employees, which raises the odds that an attacker first gains a low-privileged foothold.
According to the published information, real-world exploitation was observed against entities in the United States and Canada since at least 24 December 2025, meaning the vulnerability was abused for weeks before a patch existed.
Real-world severity
The CVSS score of 7.8 does not reach the critical range, but in practice it is plenty dangerous for several reasons:
- Confirmed active exploitation before the patch was published (zero-day).
- It allows escalation from a limited account to SYSTEM, removing any privilege-isolation barrier.
- It slots neatly into attack chains: combined with an initial foothold (phishing, stolen credentials, another vulnerability), it turns a minor compromise into full control.
On remote-desktop servers, where low-privileged access is routine by design, this kind of flaw is especially worrying.
Mitigation and patch
The top priority is to apply Microsoft’s February 2026 Patch Tuesday security updates, which correct the faulty RDS behavior when handling the registry configuration. A few more recommendations:
- Prioritize patching on Windows Server hosts running the RDS role that are exposed or heavily used.
- Restrict and audit permissions on the RDS configuration registry keys.
- Apply the principle of least privilege: limit which accounts have interactive local access to the servers.
- Watch for unexpected additions to the Administrators group and suspicious registry changes.
To better understand why escalation to SYSTEM is so critical, and how mandatory access control reduces the impact of this class of flaw, take a look at our comparison of security models in SELinux and AppArmor.
For more on the affected system, see the system page: Windows Server.
Source
- MSRC — Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-21533
- NVD — NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2026-21533