HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47654Published Modified CNA microsoft

CVE-2026-47654: Remote Desktop Client Remote Code Execution Vulnerability

Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
10.0.14393.9234
Affected Products
7

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Heap-based buffer overflow in the Microsoft Remote Desktop Client allows a remote, unauthenticated attacker to execute arbitrary code on affected systems. The attacker must reach the service over the network and requires the victim to interact with a malicious server or link, but no account credentials are needed. Successful exploitation gives the attacker full code execution, with high impact on confidentiality, integrity, and availability. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running affected versions of Windows Server 2016 through 2025.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images layered on affected Windows Server base images.

Available
Triage

HarborGuard scores this CVE at 7.5 HIGH (CVSS v3.1) and is capable of weighting that score against each environment's compliance policy to prioritize routing and escalation, directing findings to the appropriate team inbox within each customer organization.

Available
Patch

Patched-image rebuilds at versions 10.0.14393.9234, 10.0.17763.8880, 10.0.20348.5256, and 10.0.26100.32995 are available on HarborGuard for each affected Windows Server release. For customers who opt into auto-remediation, HarborGuard is capable of running a rebuild, executing a regression test suite, and opening a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Remote Desktop Client service over the network; over-the-network exposure is the primary attack surface.

  • AuthenticationNot required

    No account credentials are needed; the attacker can exploit the vulnerability without authenticating to the target system.

  • Victim interactionRequired

    The victim must interact with a malicious RDP server or crafted link, making social engineering a prerequisite for exploitation.

  • Attack complexityDetail

    Attack complexity is rated High, meaning the attacker must meet specific conditions or environmental factors beyond the attacker's direct control to reliably trigger the overflow.

Blast Radius

  • A successful attacker achieves arbitrary code execution in the context of the Remote Desktop Client process on the victim host.
  • The attacker reads sensitive data accessible to that process, including credentials, session tokens, and files the current user can access.
  • The attacker modifies files, registry keys, or persisted data within the victim user's privilege scope.
  • The attacker can crash or destabilize the affected client process, denying availability of the Remote Desktop service to the victim.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication and matches against all customer images built on affected Windows Server 2016 through 2025 base layers. Where compliance policy permits, HarborGuard can initiate a patched-image rebuild at the appropriate fix version (10.0.14393.9234 for Server 2016, 10.0.17763.8880 for Server 2019, 10.0.20348.5256 for Server 2022, and 10.0.26100.32995 for Server 2025). For customers who opt into auto-remediation, the full flow of rebuild, regression run, and PR opened against affected workloads is available; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is routed to the configured team inbox with CVSS scoring and compliance-policy context attached, so engineers have what they need to act manually.

See how HarborGuard automates this

Fix available

10.0.14393.923410.0.17763.888010.0.20348.525610.0.26100.32995
Patch commits
Affected packages
  • Microsoft / Windows Server 2016
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2016 (Server Core installation)
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2019
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2019 (Server Core installation)
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:T/RC:C
References