CVE-2026-32157 – Remote Desktop Client Remote Code Execution Vulnerability

This critical vulnerability in the Remote Desktop Client is caused by a use-after-free memory issue that can be exploited when a user connects to a malicious or compromised Remote Desktop server. The flaw allows an attacker to execute arbitrary code on the client machine over the network. Although user interaction is required, the attack leverages trusted workflows, making it highly effective in real-world scenarios.

CVSS Score: 8.8
SEVERITY: Critical
THREAT: Remote Code Execution

EXPLOITS:
No public exploits or proof-of-concept (PoC) code have been reported. The vulnerability is not publicly disclosed and is currently assessed as less likely to be exploited, though it presents strong potential for targeted attacks.

TECHNICAL SUMMARY:
This vulnerability stems from a use-after-free condition (CWE-416) in the Remote Desktop Client. When handling data from a Remote Desktop session, the client improperly references memory that has already been freed. If a user connects to a malicious RDP server controlled by an attacker, the server can send specially crafted data that triggers memory corruption. This can be leveraged to execute arbitrary code on the client system in the context of the logged-in user, potentially leading to full system compromise.

EXPLOITABILITY:
Affects vulnerable versions of the Remote Desktop Client.
Exploitation requires a user to initiate a connection to a malicious or compromised RDP server.

BUSINESS IMPACT:
This vulnerability is particularly dangerous in environments where Remote Desktop is widely used for administration or remote work. Attackers can weaponize trusted remote connections to gain control over endpoints, steal sensitive data, deploy malware, or pivot deeper into corporate networks. Because the attack relies on legitimate workflows, it can bypass traditional security awareness.

WORKAROUND:
Avoid connecting to untrusted or unknown Remote Desktop servers.
Restrict outbound RDP connections where possible and enforce trusted server lists.

URGENCY:
This vulnerability enables high-impact remote code execution through a commonly used enterprise tool. Its reliance on user-initiated connections makes it ideal for targeted attacks and social engineering campaigns. Systems that frequently connect to external or third-party RDP servers face increased exposure, and delaying patching leaves a critical entry point open to attackers.