CVE-2026-47289 – Remote Desktop Client Remote Code Execution Vulnerability

CVE-2026-47289 is a Remote Desktop Client Remote Code Execution vulnerability caused by a heap-based buffer overflow (CWE-122). The flaw allows an unauthorized attacker to execute code over a network by presenting a specially crafted Remote Desktop Protocol (RDP) certificate during the connection process. When a vulnerable Remote Desktop Client processes the malformed certificate, arbitrary code may execute with the same privileges as the user running the client.

CVSS Score: 8.8
SEVERITY: Critical
THREAT:
This vulnerability targets systems that use Remote Desktop Client connections. An attacker can create a malicious Remote Desktop environment and persuade a user to connect. During the connection process, a crafted RDP certificate can trigger memory corruption and allow code execution on the victim’s device. This creates a risk of malware deployment, credential theft, and unauthorized system access.

EXPLOITS:
The exploitability assessment is Exploitation Less Likely. The vulnerability is not publicly disclosed and not known to be exploited in the wild. Exploit Code Maturity is listed as Unproven, and no public proof-of-concept (PoC) code is identified in the available information.

TECHNICAL SUMMARY:
The vulnerability is caused by a heap-based buffer overflow within the Remote Desktop Client. An attacker-controlled system can present a specially crafted RDP certificate during connection establishment. When the vulnerable client processes the malformed certificate, memory corruption may occur, potentially allowing arbitrary code execution. The vulnerability requires no privileges and has High impacts on confidentiality, integrity, and availability. Because the attack complexity is Low, exploitation is easier than many other Remote Desktop Client vulnerabilities disclosed in the same release cycle.

EXPLOITABILITY:
Affected Microsoft Product: Remote Desktop Client
Affected software includes:
Windows 10 Version 1607, 1809, 21H2, and 22H2
Windows 11 Version 23H2, 24H2, 25H2, and 26H1
Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025
Server Core installations for affected server versions
The attack vector is Network, attack complexity is Low, privileges required are None, and User Interaction is Required. Exploitation requires a user to connect to a malicious Remote Desktop Server presenting a specially crafted RDP certificate.

BUSINESS IMPACT:
Organizations heavily depend on Remote Desktop technologies for administration, remote support, and remote work. Successful exploitation could allow attackers to compromise endpoints, steal sensitive information, deploy ransomware, or gain an initial foothold within the corporate environment. Because users may perceive Remote Desktop connections as trusted activities, this vulnerability presents a significant operational risk.

WORKAROUND:
No workarounds are listed.
No mitigations are listed.

URGENCY:
This vulnerability is rated Critical and carries a CVSS v3.1 Base Score of 8.8. The attack requires no privileges, has low attack complexity, and can result in remote code execution through a specially crafted RDP certificate. Organizations should prioritize patching systems that frequently establish Remote Desktop connections, particularly administrative workstations and support systems.