Microsoft Windows Remote Desktop, improper privilege management elevation of privilege

Overview

CVE-2026-21533 is an improper-privilege-management vulnerability (CWE-269) in Windows Remote Desktop. The component fails to correctly constrain what a low-privileged user can influence, allowing an authenticated local attacker to elevate to SYSTEM. Public reporting on the observed exploit binary indicates it abuses the weakness by replacing or modifying a service configuration key with an attacker-controlled value, so that privileged code subsequently runs the attacker's payload, in observed cases adding a new account to the local Administrators group. Microsoft rated the issue Important with a CVSS 3.1 base score of 7.8 and confirmed it was exploited in the wild. CISA added it to the Known Exploited Vulnerabilities catalog on 10 February 2026 with a remediation due date of 3 March 2026.

The vulnerability was disclosed and patched in the February 2026 Patch Tuesday release, one of six actively exploited zero-days that month. CrowdStrike Intelligence reported retrospective evidence of the exploit binary being used against U.S. and Canada-based entities since at least late December 2025, indicating real, targeted abuse ahead of the fix.

Technical Details

Improper privilege management means a security boundary is enforced incompletely: an action that should be reserved for a privileged principal is reachable, directly or indirectly, by a less-privileged one. In this case the Remote Desktop code path lets a low-privileged user influence configuration that a higher-privileged service later acts on. The reported technique modifies a service configuration entry, for example pointing a service at an attacker-controlled image or parameters, so that when the privileged service starts or reloads, it executes code of the attacker's choosing in a SYSTEM context. The exploit then leverages that execution to add a user to the Administrators group, cementing elevated access.

The CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H confirms a local attack (AV:L) by an already-authenticated low-privileged user (PR:L) with no user interaction (UI:N) that results in full compromise (C:H/I:H/A:H). It is a classic post-foothold escalation: once an attacker has any code execution on the host, they use this flaw to obtain SYSTEM and administrative group membership.

Impact

• Local elevation from an authenticated low-privileged account to SYSTEM, with observed exploits granting local administrator membership.
• SYSTEM-level execution enabling security-tool tampering, persistence, and lateral movement from the compromised host.
• Confirmed in-the-wild exploitation with targeted activity reported since late December 2025, so working exploit binaries exist and are circulating.
• Broad exposure across supported Windows 10, Windows 11, and Windows Server editions that ship the affected Remote Desktop components.

Mitigation

1. Install the February 2026 (10 February 2026) cumulative security update on every affected system promptly; CISA's federal remediation deadline of 3 March 2026 is a sensible urgency target for all organisations given confirmed exploitation.
2. Obtain the exact KB for each OS from the MSRC Security Updates table for CVE-2026-21533 and deploy it: the February 2026 cumulative update for Windows 11 24H2, 23H2, and 22H2; for Windows 10 22H2 / 21H2; and the matching February 2026 cumulative update or monthly rollup for Windows Server 2025, Server 2022 (including 23H2), Server 2019, and Server 2016.
3. Reboot after installation and confirm the build advanced to the February 2026 servicing level so the corrected Remote Desktop components are loaded.
4. As defence in depth, audit and lock down service configuration permissions: ensure non-administrators cannot modify service ImagePath, binary, or parameter values, and review ACLs on Remote Desktop-related services for over-permissive entries.
5. Prioritise Remote Desktop Session Hosts, jump servers, and any multi-user system where low-privileged users execute code, and keep EDR tamper protection enabled so a SYSTEM escape does not silently neutralise monitoring.

Detection

The observed exploit leaves concrete, huntable artifacts because it tampers with service configuration and group membership. Monitor for changes to service configuration in the registry, specifically writes to ImagePath, ServiceDll, or related parameter values under HKLM\SYSTEM\CurrentControlSet\Services for Remote Desktop and other services, performed by a non-administrative or unexpected process. Sysmon registry events (event IDs 12 to 14) and Windows Security event 4657 (registry value modified) on those keys are high-value signals, as is service-installation event 7045 or service-change event 7040 in the System log when the change is not attributable to a legitimate admin or installer.

Alert aggressively on local-group membership changes: Windows Security event 4732 (member added to a security-enabled local group), especially additions to Administrators, correlated with a recent low-privileged login, strongly matches the reported post-exploitation behaviour of creating or promoting an account. New account creation (event 4720) followed immediately by privileged-group addition deserves an automatic high-severity alert. Map these to ATT&CK T1543.003 (create or modify system process: Windows service) and T1068 (exploitation for privilege escalation).

In EDR telemetry, hunt for a standard-user process that triggers a service restart and is followed by an unexpected SYSTEM-context child, or for processes writing to service keys and then a privileged service spawning an anomalous image. Because CrowdStrike attributed a specific exploit binary to this CVE, sweep endpoints for unfamiliar executables that manipulate service configuration and run threat-intel-provided hashes or YARA rules where available.

Finally, treat patch coverage as detection input. Run authenticated scans and flag any host missing the February 2026 cumulative update, then cross-reference against the service-configuration and group-membership telemetry above. Ensure security agents have current behavioural detections for service-hijack escalation and that tamper protection is enabled, since obtaining SYSTEM and administrators membership is precisely what lets an attacker disable defences next. Given CrowdStrike's report of activity since late December 2025, hunt retrospectively across stored registry-change, service-event, and group-membership logs so earlier intrusions that predate the patch are not overlooked.