CVE-2026-48563 – Remote Desktop Client Remote Code Execution Vulnerability

CVE-2026-48563 is a Remote Desktop Client Remote Code Execution vulnerability caused by a use-after-free (CWE-416) memory corruption flaw. The vulnerability affects the Remote Desktop Client and may allow an unauthorized attacker to execute code over a network. According to Microsoft’s guidance, successful exploitation requires an attacker to win a race condition and control a Remote Desktop Server that a victim connects to using a vulnerable client.

CVSS Score: 7.5
SEVERITY: Critical
THREAT:
This vulnerability creates a risk for organizations that rely on Remote Desktop connectivity. An attacker operating a malicious Remote Desktop Server could exploit the flaw when a user initiates a connection. Successful exploitation could enable malware deployment, unauthorized access, credential theft, or compromise of the affected system.

EXPLOITS:
The exploitability assessment is Exploitation Less Likely. The vulnerability is not publicly disclosed and not known to be exploited in the wild. Exploit Code Maturity is listed as Unproven, and no public proof-of-concept (PoC) code is identified in the available information.

TECHNICAL SUMMARY:
The vulnerability is associated with CWE-416: Use After Free, a memory corruption weakness that occurs when software accesses memory after it has been released. Microsoft indicates that successful exploitation requires an attacker to win a race condition, increasing the difficulty of exploitation. A malicious Remote Desktop Server can trigger the flaw during a Remote Desktop session, potentially resulting in arbitrary code execution on the client device. The vulnerability carries High impacts to confidentiality, integrity, and availability.

EXPLOITABILITY:
Affected Microsoft Product: Remote Desktop Client
Affected software includes:
Windows 10 Version 1809, 21H2, and 22H2
Windows 11 Version 23H2, 24H2, 25H2, and 26H1
Windows Server 2019, 2022, and 2025
Windows Server Core installations for affected server versions
The attack vector is Network, attack complexity is High, privileges required are None, and User Interaction is Required. Exploitation requires a victim to connect to an attacker-controlled Remote Desktop Server.

BUSINESS IMPACT:
Remote Desktop technologies are widely used for administration, support, and remote work. Successful exploitation could allow attackers to compromise workstations or servers, access sensitive corporate information, deploy malicious software, and establish a foothold within the network. Systems used by administrators and privileged users may face elevated risk.

WORKAROUND:
No workarounds are listed.
No mitigations are listed.

URGENCY:
This vulnerability is rated Critical and affects multiple supported Windows client and server platforms. Although exploitation requires user interaction and successful race condition timing, the potential for remote code execution through a trusted remote access mechanism makes prompt patch deployment important. Organizations should prioritize systems that regularly establish Remote Desktop connections.