Microsoft's May 2026 Patch Tuesday rollout addressed 78 security vulnerabilities, among them CVE-2026-40398—an elevation-of-privilege bug in Windows Remote Desktop Services (RDS) scored at CVSS 7.8 and marked as Important. The disclosure arrived without accompanying reports of public proof-of-concept code or in‑the‑wild exploitation, a detail that gives administrators breathing room but doesn't lessen the urgency of patching.

What CVE-2026-40398 is

The vulnerability sits in the RDS component that handles authentication and session initialization. An attacker who can authenticate to a target system over RDP, even with low‑privileged credentials, can exploit a flaw in the service to escalate to SYSTEM‑level privileges. The attack complexity is low, according to the CVSS vector, and no user interaction is required beyond the initial logon.

Because RDS is the backbone of remote desktop and VDI deployments in enterprise environments, the blast radius is wide. Any Windows Server or workstation running the RDS role, exposed to an authenticated RDP session, is a potential target.

Technical breakdown

Microsoft classifies CVE-2026-40398 as a CWE-269: Improper Privilege Management issue. The vulnerability stems from how the RDS service validates access tokens after a remote session transitions from the initial logon phase. An attacker who gains a foothold on a machine—through a compromised low‑privilege account, for example—can issue a crafted RPC call to the RDS service, causing it to duplicate a privileged token without proper checks. The result is a stolen SYSTEM token that can be used to launch processes with the highest local privileges.

The CVSS v3.1 string reads:

|| Base Score | Vector |
|--------|-------|
| 7.8 | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |

The local attack vector indicates the attacker must already have code execution on the target, which aligns with an authenticated RDP session. The privileges required are low, meaning a standard domain user on a multi‑user Windows Server is sufficient. No user interaction flags reduce friction for attack automation.

Systems at risk

All supported versions of Windows that ship the RDS component are affected. Microsoft's Security Update Guide lists:

  • Windows Server 2025
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2 (extended support)
  • Windows Server 2012 (extended support)
  • Windows 11 (versions 24H2, 23H2, 22H2)
  • Windows 10 (versions 22H2, 21H2 Enterprise LTSC)

Workstations are exposed if Remote Desktop is enabled and an attacker can authenticate locally or via a loopback session. Servers running the Remote Desktop Session Host (RDSH) role are the primary vector, especially those in multi‑tenant scenarios where users share the host.

Publicly exposed RDP endpoints without additional authentication controls (such as Azure AD Application Proxy or VPN gateway enforcement) compound the risk. An attacker who manages to phish or brute‑force a low‑privilege user can chain this exploit to achieve system compromise in seconds.

Exploit details and detection

At the time of Patch Tuesday, Microsoft had seen no evidence of public disclosure or active exploitation. The MSRC advisory carries the “Exploitation Less Likely” assessment, a term used when the vulnerability is not easily weaponizable at scale. However, privilege escalation bugs in RDS have historically been folded into commodity attack toolkits within weeks of patch reverse‑engineering.

Security teams should monitor for unusual token duplication events. Indicators include:

  • Process creation events where a low‑integrity token abruptly escalates to SYSTEM without elevation prompts
  • RPC activity targeting the TermService interface with anomalous parameters
  • Suspicious SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege usage from unexpected accounts

Windows Event Forwarding and Sysmon can help surface these patterns before an alert from EDR platforms.

Microsoft's fix

The May 2026 cumulative updates correct the token validation logic in termsrv.dll and introduce an additional integrity check during RPC calls that request privileged token duplication. The patch is delivered through:

  • Monthly Security Update (KB5059348 for Windows Server 2025)
  • Monthly Rollup for Server 2012/2012 R2
  • Cumulative Update for Windows 10/11

No configuration change or workaround is listed; the update is the primary mitigation. Administrators who cannot patch immediately should tighten RDP access as a stopgap.

Mitigation and workarounds

While no official workaround exists, several architectural controls reduce exposure:

  1. Disable RDP where not needed. Many servers have the service enabled for convenience but never used. A GPO can enforce the “Allow log on through Remote Desktop Services” policy to an empty list.
  2. Enforce Network Level Authentication (NLA). NLA requires authentication before a session is created, slightly raising the bar for unauthenticated probes.
  3. Isolate RDP endpoints. Place RDS hosts behind a Remote Desktop Gateway (RD Gateway) or an Azure Bastion host. This ensures that only authenticated and authorised sessions reach the vulnerable service.
  4. Limit administrative groups. Restrict membership in the local Remote Desktop Users group. A low‑privilege user who is not a member cannot initiate the RDP session needed for the attack.
  5. Deploy endpoint detection and response (EDR) rules. Behavioral analytics can spot privilege escalation chains regardless of the vulnerability exploited.

The CVSS “changed scope” flag is set to unchanged, meaning the exploit only affects the local machine; it does not propagate laterally on its own. That said, SYSTEM access on any host is a pivot point for lateral movement with Pass‑the‑Hash or credential dumping.

Real‑world implications

For attackers, CVE-2026-40398 turns a trickle into a flood. Compromising a single low‑privilege user on a terminal server becomes a full compromise of that server. In environments where RDS hosts serve as jump boxes, that single host can expose the entire data center.

Penetration testers and red teams will likely integrate a proof‑of‑concept into post‑exploitation frameworks shortly after a public write‑up appears. The low complexity and lack of user interaction make it ideal for automated attack playbooks. Governments and critical infrastructure entities reliant on legacy Windows Server instances should treat this patch with high priority, even though the rating is only Important.

Previous similar vulnerabilities

CVE-2026-40398 is not an outlier. Microsoft's RDS stack has seen multiple elevation‑of‑privilege bugs over the years:

  • CVE-2019-0708 (BlueKeep) – Remote code execution, but it underscored the sensitivity of RDP services.
  • CVE-2020-0610 – RDS privilege escalation via crafted file system permissions.
  • CVE-2022-21893 – RDP client‑side privilege escalation.

Each one was eventually weaponized. The pattern suggests that while Microsoft hardens the gateways, the internal token handling remains a recurrent weak spot.

Patch management guidance

Organizations should prioritize this update on any system where RDP is enabled, regardless of whether it is reachable from the internet. Crown jewels are rarely exposed to the outside, but an attacker who infiltrates the network will seek exactly this kind of privilege escalation to consolidate control.

Deploy the May 2026 cumulative updates through:

  • Windows Update for Business rings, starting with a pilot deployment on terminal servers.
  • Microsoft Configuration Manager or Intune for managed endpoints.
  • WSUS synchronized with the latest Security Only updates if you prefer a lighter delta.

Test the updates on representative RDS farm nodes. In rare cases, third‑party authentication and session management tools that hook into termsrv.dll can cause compatibility issues; vendors typically release hotfixes within a week of Patch Tuesday.

How the industry is reacting

Security researchers on social platforms note that the vulnerability is particularly attractive for ransomware affiliates. Once an operator gains access to a low‑privilege account on a terminal server, the ability to silently elevate to SYSTEM allows disabling of antivirus, deployment of data exfiltration tools, and execution of ransomware—all without triggering typical UAC prompts.

Major EDR vendors already have detections in place for the attack chain, not necessarily the vulnerability itself. Microsoft Defender for Endpoint will alert on the post‑exploitation behavior, such as unexpected token privilege changes, even before signature‑based detections for the exploit are released.

Final takeaway

CVE-2026-40398 exemplifies the perpetual cat‑and‑mouse game in Windows internals. A low‑rated bug in a mission‑critical service can unravel layers of security architecture. While the lack of active attacks provides a window, that window closes quickly once patch analysis begins. Treat this as a high‑priority update for any RDS‑enabled host, apply the May patches, and harden RDP access to minimize the attack surface in the future. The next step for security teams is to validate that the cumulative update is installed across all affected servers and to monitor for any anomalous token operations that slip through.