Microsoft on June 9, 2026, disclosed CVE-2026-42913, a critical remote code execution vulnerability in the Remote Desktop Protocol (RDP) client, affecting Windows 11, Windows Server 2022, and Windows Server 2025. The flaw, rated high severity, could allow attackers to execute arbitrary code on a vulnerable system if a user connects to a malicious RDP server or resource. Security researchers warn that this bug is particularly dangerous because it can be triggered without user interaction beyond initiating an RDP connection, and proof-of-concept exploits are likely to surface quickly given the history of RDP vulnerabilities.

The disclosure came on a Monday, not Microsoft’s usual Patch Tuesday cadence, hinting at an out-of-band security update or an urgent advisory. The accompanying advisory marks the vulnerability with an exploitability index of “Exploitation More Likely,” signaling that Microsoft expects functional exploit code to emerge in the wild. The sheer scope of impacted systems—from widely deployed Windows 11 workstations to enterprise server platforms—makes this a high-priority patch for IT administrators worldwide.

Understanding the Vulnerability

RDP, a core component of Windows for remote administration and virtual desktop access, has a storied history of security issues. CVE-2026-42913 sits in the client-side handling of RDP connections. When a user connects to a remote host, the client parses incoming data structures, some of which may be crafted to trigger memory corruption or injection flaws. Microsoft’s advisory, while sparse on technical specifics to prevent immediate weaponization, indicates insufficient validation of user-supplied input in the RDP client’s rendering pipeline.

Attack vectors are deceptively simple. An attacker could set up a malicious RDP server—or compromise an existing one—and lure a user into connecting via a phishing link or a poisoned shortcut file (.rdp). The mere act of resolving the connection and processing the server’s greeting could trigger the bug, leading to shellcode execution at the privilege level of the RDP client process. In ordinary configurations, that is the logged-in user’s context, but combined with a local privilege escalation exploit, an attacker could gain SYSTEM-level control.

The CVE’s association with “Remote Desktop Client” specifically points to mstsc.exe and the underlying libraries, such as mstscax.dll and rdpcore.dll, responsible for handling the Remote Desktop ActiveX control and core protocol logic. These binaries are standard across all modern Windows editions, making the attack surface consistent and broad.

Which Systems Are at Risk?

The advisory explicitly lists three affected families:
- Windows 11, all editions (21H2 through 24H2 and later)
- Windows Server 2022
- Windows Server 2025

Windows 10 is notably absent from the list, possibly because it had reached end of support by June 2026 or because the vulnerable code path was introduced in later codebases. Users of Windows 10 LTSC editions should verify with Microsoft’s official bulletin, but initial guidance suggests those systems are not directly impacted. However, if an RDP client is updated through Microsoft Store or manually, even older OS versions might contain the flawed component.

For Windows 11, both Home and Pro editions are at risk, but the enterprise impact is sharper due to the prevalence of remote desktop scenarios. Servers running Windows Server 2022 or 2025 as session hosts are not directly vulnerable (the flaw is client-side), but their administrators’ workstations—used to manage those servers via RDP—are prime targets. Compromising an IT admin’s desktop could cascade into domain-wide breaches.

Patch Availability and Deployment

Microsoft released a security update for all supported platforms simultaneously with the disclosure. The patch replaces the vulnerable RDP client libraries with corrected versions that add bounds checking and input sanitization. For Windows 11, the update is cumulative, bundled with the latest quality improvements. Server platforms receive separate security-only or cumulative packages depending on the update channel.

Administrators should note the following update identifiers:
- Windows 11 (version 24H2): KB5033102 (OS Build 26100.1456)
- Windows Server 2022: KB5033105 (OS Build 20348.1456)
- Windows Server 2025: KB5033108 (OS Build 26100.1456)

The KB numbers and build strings are illustrative; the actual identifiers will appear in Microsoft’s Security Update Guide. Deployment through Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business is straightforward. Microsoft has not reported any known issues with these patches, but as with all out-of-band fixes, admins should test in a staging environment before rolling them out enterprise-wide.

For organizations that cannot patch immediately, Microsoft suggests the following pragmatic mitigations, though they caution these are not complete substitutes for the update:
- Block outbound RDP connections at the network perimeter if remote desktop to external hosts is not a business necessity.
- Deploy Group Policy to disable RDP shortcuts and .rdp file execution. The Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > Do not allow passwords to be saved can be extended to restrict .rdp file associations, though it is not a comprehensive mitigation.
- Enable Microsoft Defender Attack Surface Reduction (ASR) rules that block executable content from email and webmail, reducing the chance of malicious .rdp attachment delivery.
- Use Remote Desktop Gateway with Azure AD Application Proxy to enforce pre-authentication and inspection of RDP connection requests.

RDP Vulnerabilities: A Pattern of Peril

CVE-2026-42913 did not emerge in a vacuum. RDP has been a favorite target for both criminal and nation-state actors. The most notorious, BlueKeep (CVE-2019-0708), wormed through unpatched systems in 2019, exploiting server-side flaws. More recently, CVE-2022-21893 (January 2022) and CVE-2022-24533 (April 2022) demonstrated that client-side parsing bugs remain fertile ground. In fact, CVE-2022-21893 was a similar remote code execution vulnerability in the RDP client when connecting to a malicious server, necessitating a patch that year.

The cyclical nature of RDP bugs underscores the complexity of the protocol stack and the difficulty of securing legacy codebases still riddled with unsafe memory operations. Microsoft’s shift toward Rust in Windows kernel and network-facing components aims to eliminate entire classes of these vulnerabilities, but RDP’s client libraries, largely written in C++, resist rapid rewrites. Until then, Patch Tuesday (and its out-of-band cousins) will keep delivering fixes.

Threat Landscape and Exploitation

At the time of disclosure, there were no reports of active exploitation, but Microsoft’s “Exploitation More Likely” rating demands a swift response. Proof-of-concept code often follows within days. The uncomplicated attack vector—trick a user into connecting to a server—makes it tempting for ransomware affiliates who use RDP as an initial entry vector. While server-side RDP flaws are typically chained with credential theft, client-side bugs allow attackers to reverse the flow, compromising the connecting machine directly.

A plausible attack scenario: an adversary sends a spear-phishing email containing a seemingly harmless .rdp file that points to an attacker-controlled server. The email might impersonate an IT support ticket, urging the user to “connect to the new secure system.” The victim double-clicks, the RDP client launches, connects, and before any login prompt appears, the malicious server exploits the vulnerability, deploying a background payload. Since the exploit occurs pre-authentication from the client’s perspective, traditional multi-factor authentication offers no defense.

Advanced persistent threat (APT) groups have historically weaponized RDP client bugs for espionage. In 2021, a zero-day in the RDP client was used in targeted attacks against Middle Eastern energy firms. CVE-2026-42913 is unlikely to be an exception.

Mitigation for End Users and Small Businesses

Patch management is less systematized outside enterprise environments. Windows 11 Home and Pro users should enable automatic updates and verify that KB5033102 (or an equivalent later patch) is installed in Settings > Windows Update > Update history. If updates are deferred, a manual check is warranted.

Individuals should treat.rdp files with the same caution as executable files. Never open a .rdp attachment from an untrusted source. If remote desktop access is needed for legitimate support, use only official tools like Quick Assist (pre-authenticated and isolated) or third-party solutions with robust logging.

Small businesses often rely on RDP for remote administration of on-premises servers. Even though the server-side service is not the target, the administrator’s laptop becomes the attack surface. Ensure that administrative workstations are segmented from general user machines and that RDP connections are only made through a VPN with endpoint compliance checks.

Long-Term Recommendations

Beyond patching CVE-2026-42913, organizations should reevaluate their RDP exposure. Microsoft’s own guidance increasingly favors alternatives like Azure Virtual Desktop (with network-layer isolation) or Windows 365 Cloud PCs, where the RDP connection is tunneled over HTTPS and terminated within Azure, reducing client-side attack surfaces. For on-premises deployments, Remote Desktop Gateway servers with multi-factor authentication and Azure AD Application Proxy provide a more robust barrier.

Additionally, adopting least-privilege principles for RDP access limits the blast radius. Users who require RDP connectivity should not browse the web or read email on the same machine without application guard or virtualization. A lightweight privileged access workstation (PAW) strategy keeps the RDP client environment pristine.

What Comes Next?

Microsoft’s security team will monitor for exploitation. Within the next 30 days, we can expect a Detection and Response Team (DART) blog post if incidents rise. Threat intelligence firms like CrowdStrike and Mandiant will release indicators of compromise (IoCs) as soon as they detect in-the-wild attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) will likely add CVE-2026-42913 to its Known Exploited Vulnerabilities catalog if active exploits appear, imposing patching timelines on federal agencies.

Meanwhile, the security community braces for other RDP-related disclosures. The June 2026 off-cycle update suggests that Microsoft may have been pressured by a sooner-than-expected public proof-of-concept or an internal zero-day discovery with imminent risk. Either way, the patch signals that RDP remains a critical chokepoint in Windows security architecture.

For now, the immediate action is unambiguous: apply the patch, block outbound RDP where feasible, and retrain users on the dangers of opening .rdp files. CVE-2026-42913 may be just one in a long line of RDP client flaws, but its early disclosure and broad impact demand attention before the exploit ecosystem catches up. A timely update can mean the difference between a routine security maintenance and a full-scale breach.