CVE-2026-47653: Remote Desktop Client Remote Code Execution Vulnerability
Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A heap-based buffer overflow in the Microsoft Remote Desktop Client allows an unauthenticated attacker to reach the vulnerable component over a network and execute arbitrary code on the affected machine. The CVSS vector shows no authentication is required, but a victim must take an action such as connecting to a malicious RDP server for exploitation to succeed. Successful exploitation gives the attacker full code execution in the context of the connecting user, enabling data theft, system modification, or service disruption. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-47653 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle the affected Windows Remote Desktop Client components. HarborGuard's pipeline is capable of identifying affected versions across all Windows 10 and Windows 11 version ranges listed in the advisory.
AvailableHarborGuard is capable of scoring this CVE at CVSS 8.8 (HIGH) and weighting that score against each customer environment's compliance policy to determine urgency. Triage output can be routed to the appropriate team inbox inside each customer organization based on asset ownership and policy rules.
AvailableA patched-image rebuild at the applicable fix versions (10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, and others per Windows version) becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, the platform performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the victim's machine over the network; the vulnerable client initiates an outbound RDP connection to an attacker-controlled server, so the service must be network-accessible or the victim must be routable to the malicious host.
- AuthenticationNot required
No authentication is required; the attacker does not need any account or credential on the target system before exploitation.
- Victim interactionRequired
The victim must initiate an RDP connection to a malicious server, requiring the attacker to socially engineer the victim into connecting, such as through a phishing link or crafted .rdp file.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- Reads files, credentials, and session tokens accessible to the connecting user's account.
- Writes or modifies files and registry entries within the user's permission scope.
- Executes arbitrary processes on the victim host under the compromised user context.
- Crashes or disrupts the Remote Desktop Client session and any dependent user-space processes.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-47653 is active across customer registries and CI pipelines, matching images that carry affected Windows Remote Desktop Client versions against the advisory within minutes of publication. Where compliance policy permits, patched-image rebuilds at the corrected Windows 10 and Windows 11 versions are available, and customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a PR opened against affected workloads. For high-severity issues like this one, the median time from CVE publication to merged patch PR is around 90 minutes for environments with auto-remediation enabled. Because exploitation requires victim interaction via a crafted RDP connection, customers who cannot immediately apply the patch can reduce exposure by enforcing network policy rules that restrict outbound RDP (port 3389) from container workloads, applying egress filtering to prevent connections to untrusted hosts, and auditing any automation that triggers RDP client sessions.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C