HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-48563Published Modified CNA microsoft

CVE-2026-48563: Remote Desktop Client Remote Code Execution Vulnerability

Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
10.0.17763.8880
Affected Products
13

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A heap-based buffer overflow in the Microsoft Remote Desktop Client allows an unauthenticated attacker to execute arbitrary code on the victim's machine by serving a malicious RDP server over the network. The vulnerability is reachable remotely but requires the victim to initiate a connection, and exploitation is not straightforward due to high attack complexity. Successful exploitation gives the attacker full control over the affected host, including the ability to read, modify, and destroy data. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running affected Windows versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built Windows-based container images. Any image carrying an affected version of the Remote Desktop Client is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting it further against each environment's compliance policy to determine urgency and routing. Triage findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Where fix versions exist (10.0.17763.8880, 10.0.19044.7417, 10.0.19045.7417, 10.0.20348.5256, and 10.0.22631.7219 for the applicable Windows builds), a patched-image rebuild becomes available in HarborGuard as soon as the upstream patch is ingested. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the victim over the network, specifically by operating or controlling a malicious RDP server that the victim's client connects to.

  • AuthenticationNot required

    No credentials or prior account access are needed on the targeted system; the attacker operates from an unauthenticated position.

  • Victim interactionRequired

    The victim must actively initiate an RDP connection to the attacker-controlled server, requiring some form of social engineering or redirect.

  • Attack complexityDetail

    Attack complexity is rated High, meaning reliable exploitation depends on environmental factors such as memory layout conditions that the attacker cannot fully control.

Blast Radius

  • Reads sensitive data accessible to the Remote Desktop Client process, including credentials, session tokens, and locally cached files.
  • Writes or modifies files and configuration on the host under the permissions of the compromised process.
  • Executes arbitrary code in the context of the victim user, enabling installation of malware or lateral movement tooling.
  • Crashes or destabilizes the Remote Desktop Client process, disrupting the user's session.

How HarborGuard Handles This

Available on HarborGuard: detection against all affected Windows version ranges is active the moment this CVE enters the upstream feed, with no manual tuning required. For environments running affected builds, rebuilt images at the patched versions are made available as soon as the fix is ingested. For customers who opt into auto-remediation, HarborGuard targets a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues, covering the rebuild, regression run, and pull request steps. Because exploitation requires victim interaction and high attack complexity, environments that cannot immediately apply the patch should consider restricting outbound RDP connections via network policy to limit the set of RDP servers users can reach, reducing the social-engineering surface while the patch is staged.

See how HarborGuard automates this

Fix available

10.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 10 Version 1809
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2019
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2019 (Server Core installation)
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References