CVE-2026-47654: Critical RDP Use-After-Free Vulnerability in Windows Server
A use-after-free memory vulnerability exists in the Remote Desktop Client component across multiple Windows Server versions. An attacker can exploit this flaw to execute arbitrary code on a target system over the network. The attack requires user interaction—specifically, a user must open a malicious RDP connection or file—but once triggered, an unauthenticated attacker gains the ability to run code with the privileges of the affected user. This is a network-reachable vulnerability with no authentication requirement, making it a material risk for organizations using Remote Desktop services.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416, CWE-787
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47654 is a use-after-free vulnerability (CWE-416) combined with a heap-based buffer overflow (CWE-787) in the Windows Remote Desktop Client. The vulnerability allows memory that has been freed to be referenced and written to, enabling code execution. The attack vector is network-based (AV:N), requires high attack complexity (AC:H), no authentication (PR:N), but does require user interaction (UI:R). The impact spans confidentiality, integrity, and availability, as indicated by the CVSS vector scoring all three at High. The vulnerability affects Windows Server 2016, 2019, 2022, and 2025 editions.
Business impact
Remote Desktop Protocol (RDP) is widely used for system administration and remote access in enterprise environments. A successful exploitation of this vulnerability could allow attackers to gain code execution on critical server infrastructure, potentially leading to lateral movement, data theft, or service disruption. Organizations relying on RDP for secure administration face risk if users are tricked into accepting malicious connections or opening weaponized files. The HIGH severity rating reflects both the breadth of impact and the network accessibility of the attack surface.
Affected systems
Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025 are confirmed affected. Any system running the Remote Desktop Client component with these operating systems is potentially vulnerable. This includes both dedicated RDP servers and client machines configured to use RDP for remote administration.
Exploitability
While the vulnerability requires user interaction—a necessary precondition for triggering the code path—the attack is not trivial. An attacker would need to craft a malicious RDP connection, session file, or related resource that, when processed by the affected client, causes the use-after-free condition. The high attack complexity score (AC:H) suggests this is not a simple click-and-exploit scenario, but rather requires specific conditions or user actions that increase the attacker's technical burden. Currently, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed active exploitation in the wild at the time of publication.
Remediation
Microsoft has released or will release patches addressing this vulnerability across all affected Windows Server versions. Organizations should prioritize applying these updates to systems running Windows Server 2016 through 2025. Patch deployment should be phased based on operational criticality and testing requirements. Additionally, organizations should consider implementing network controls to restrict RDP access to trusted networks or VPN endpoints, and enforce strong authentication mechanisms (multi-factor authentication where possible) on RDP gateways.
Patch guidance
Consult Microsoft's official security advisories and Windows Update for patches specific to your Windows Server version. Patches should be tested in a non-production environment before enterprise deployment. Organizations using Windows Server 2016 should note that it is approaching end-of-support and patches may be limited; prioritization should account for upgrade timelines. Server 2019, 2022, and 2025 will receive full patch support. Deploy patches systematically, beginning with high-risk systems (internet-facing RDP services, administrative servers) and progressing to lower-risk infrastructure.
Detection guidance
Monitor for unusual patterns in RDP connection logs, including failed authentication attempts from unusual sources, session anomalies, or unexpected process execution following RDP sessions. Use endpoint detection and response (EDR) tools to identify heap corruption or memory access violations within the Remote Desktop Client process. Correlation of RDP connection logs with process creation events can help identify exploitation attempts. Note that since user interaction is required, legitimate but suspicious RDP session initiations warrant investigation, particularly if they coincide with user reports of unusual behavior.
Why prioritize this
This vulnerability merits HIGH priority due to its network accessibility, potential for code execution, and the critical nature of Remote Desktop services in enterprise administration. Although it requires user interaction and has not been observed in active exploitation, the confluence of these factors—wide deployment across server environments, ease of weaponization once the user interaction requirement is satisfied, and high impact on confidentiality and integrity—justifies rapid patch deployment. Organizations should weigh this against their own RDP exposure and user risk profiles.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible, unauthenticated code execution vulnerability with moderate attack complexity. The user interaction requirement prevents a critical rating, as does the requirement for specific conditions to be met. However, the ability to achieve confidentiality, integrity, and availability impact—combined with the prevalence of RDP in enterprise networks—justifies the HIGH severity designation. This score appropriately positions the vulnerability as requiring urgent but not emergency-level response.
Frequently asked questions
Does this vulnerability require authentication to exploit?
No. An unauthenticated attacker can craft a malicious RDP connection or file that, when processed by a user, triggers the vulnerability. The attacker does not need valid credentials on the target system.
Is this vulnerability currently being exploited in the wild?
As of the vulnerability's publication date, this CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. However, organizations should not assume indefinite safety; patch deployment should proceed promptly to avoid becoming targets as awareness increases.
Which Windows Server versions are affected, and what about Windows 10 or 11 clients?
The confirmed affected products are Windows Server 2016, 2019, 2022, and 2025. Client versions (Windows 10, 11) may also be affected given they share RDP client code, but the provided data does not enumerate them. Consult Microsoft advisories for complete client coverage.
What is the difference between CWE-416 and CWE-787 in this vulnerability?
CWE-416 (use-after-free) describes the root cause—memory is freed and then referenced. CWE-787 (out-of-bounds write) describes the consequence—the freed memory is written to in an uncontrolled manner, enabling code execution. Together they form a classic memory safety vulnerability chain.
This analysis is provided for informational purposes and is based on publicly disclosed vulnerability data as of the publication date. Patch version numbers, detailed remediation steps, and affected product lists should be verified against official Microsoft security advisories before deployment. SEC.co does not provide exploit code or weaponization guidance. All organizations are responsible for assessing their own risk posture and implementing appropriate security controls. Regulatory or compliance obligations may require additional mitigation measures beyond patching. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42909HIGHMicrosoft Remote Desktop Client Race Condition Remote Code Execution
- CVE-2026-42913HIGHRemote Desktop Client Race Condition Allows Network Code Execution
- CVE-2026-42985HIGHRemote Desktop Client Use-After-Free RCE Vulnerability
- CVE-2026-44801HIGHRemote Desktop Client Use-After-Free Code Execution Vulnerability
- CVE-2026-45461HIGHMicrosoft Office Use-After-Free Remote Code Execution Vulnerability
- CVE-2026-45472HIGHUse-After-Free in Microsoft Office Enables Local Code Execution
- CVE-2026-45474HIGHCritical Use-After-Free in Microsoft Office (CVSS 8.4)
- CVE-2026-47653HIGHRemote Desktop Client Use-After-Free Code Execution Vulnerability