HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47289Published Modified CNA microsoft

CVE-2026-47289: Remote Desktop Client Remote Code Execution Vulnerability

Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
2.0.1193.0
Affected Products
21

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A heap-based buffer overflow in Microsoft Remote Desktop Client allows an unauthenticated attacker to execute arbitrary code on the victim's machine by having the victim connect to a malicious RDP server over a network. No credentials are required on the attacker's side, but the victim must initiate a connection, such as by clicking a crafted link or visiting a page that triggers an RDP session. Successful exploitation gives the attacker full code execution on the affected Windows host. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected version of Windows.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Windows-based container images, in both registries and active CI/CD pipelines. Any image layer carrying an affected Remote Desktop Client version is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this CVE at its CVSS v3.1 base score of 8.8 (HIGH) and weighting it against each environment's compliance policy to determine escalation priority. Triage results are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Patched-image rebuilds at the applicable fix versions (2.0.1193.0, 6.2.9200.26132, 6.3.9600.23228, 10.0.14393.9234, and 10.0.17763.8880) are available on HarborGuard for environments running an affected Windows version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be reachable over the network, as the victim's Remote Desktop Client connects outbound to an attacker-controlled RDP server.

  • AuthenticationNot required

    No credentials or account on the target system are required; the attacker operates as an unauthenticated party hosting the malicious server.

  • Victim interactionRequired

    The victim must actively initiate an RDP connection to the attacker-controlled server, for example by clicking a crafted link or being redirected through a phishing page.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

  • The attacker executes arbitrary code in the context of the user running the Remote Desktop Client on the victim's Windows host.
  • Confidential data accessible to that user account, including files, credentials cached in memory, and session tokens, is readable by the attacker.
  • The attacker can write or modify files and registry entries within the permissions of the compromised user account.
  • The attacker can crash or terminate the Remote Desktop Client process and any dependent services, disrupting the user's session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47289 is matched against all customer images within minutes of publication, covering every Windows-based image layer that ships an affected Remote Desktop Client binary. For environments where the compliance policy permits auto-remediation, HarborGuard rebuilds affected images at the appropriate fix version, runs a regression suite, and opens a pull request against impacted workloads; median time from CVE publication to merged patch PR for HIGH-severity issues is around 90 minutes in those environments. For environments that do not use auto-remediation, the rebuilt image is still made available in the HarborGuard registry so teams can pull and deploy it on their own schedule. In the interim, teams can reduce exposure by applying network policy controls that restrict which workloads are permitted to initiate outbound RDP connections, limiting the set of users who can launch an RDP client from container-hosted desktops, and auditing pipeline images to confirm no unnecessary RDP client binaries are bundled into production layers.

See how HarborGuard automates this

Fix available

2.0.1193.06.2.9200.261326.3.9600.2322810.0.14393.923410.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 10 Version 1607
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows 10 Version 1809
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows App Client for Windows Desktop
    < 2.0.1193.0 (from 1.00)
  • Microsoft / Windows Server 2012
    < 6.2.9200.26132 (from 6.2.9200.0)
  • Microsoft / Windows Server 2012 (Server Core installation)
    < 6.2.9200.26132 (from 6.2.9200.0)
  • Microsoft / Windows Server 2012 R2
    < 6.3.9600.23228 (from 6.3.9600.0)
  • Microsoft / Windows Server 2012 R2 (Server Core installation)
    < 6.3.9600.23228 (from 6.3.9600.0)
  • Microsoft / Windows Server 2016
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2016 (Server Core installation)
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2019
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2019 (Server Core installation)
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References