Microsoft has published CVE-2026-56171, an information disclosure vulnerability in Windows Remote Desktop Protocol, adding another RDP-related item for administrators to account for in the July 2026 security-update cycle. The advisory was published on July 16, two days after July’s Patch Tuesday releases, but Microsoft’s public entry currently provides little technical detail beyond the affected component and impact classification.
That lack of detail is itself important. The Microsoft Security Response Center has confirmed the vulnerability exists, yet has not publicly described the flaw’s root cause, affected Windows versions, CVSS score, attack prerequisites, or whether exploitation has been detected. There is no basis, at this stage, to characterize CVE-2026-56171 as a wormable RDP issue, a remote-code-execution flaw, or an active zero-day.
For Windows administrators, the immediate action is simpler: ensure July 2026 cumulative updates are deployed to systems that provide or initiate Remote Desktop sessions, then validate that RDP exposure and redirection policies still match the organization’s intended design.
Microsoft classifies CVE-2026-56171 as an information disclosure vulnerability. In practical terms, that category means an attacker may be able to access data they should not be able to read. Depending on the underlying defect, disclosed data could range from application or protocol memory to configuration details or sensitive session material.
But information disclosure is an impact category, not a complete risk assessment. A flaw that leaks limited non-sensitive memory under a highly authenticated scenario is a very different operational problem from one that permits an unauthenticated internet-based attacker to retrieve credential material. Microsoft has not supplied the details needed to distinguish those possibilities.
The advisory’s publication date also deserves attention. Microsoft’s July 2026 security updates arrived on July 14, while the CVE entry is dated July 16. That does not necessarily mean the vulnerability was fixed out of band, nor does it establish that every Windows servicing release contains the fix. Administrators should treat the Security Update Guide as the definitive mapping when Microsoft adds affected-product and update information.
Windows 10 version 22H2 and Windows 10 Enterprise LTSC 2021 deployments received KB5099539, bringing the relevant builds to 19045.7548 and 19044.7548. Microsoft’s support documentation also directs organizations to the July 2026 Security Updates for the vulnerability-level record.
That is not a substitute for checking the individual CVE’s eventual product table. RDP has a wide footprint across Windows clients, Windows Server, Azure Virtual Desktop, Windows 365, and third-party remote-management workflows. The organization that only verifies laptops while leaving jump hosts, session hosts, management servers, and virtual-desktop images behind is not meaningfully reducing exposure.
The useful near-term checklist is short:
Microsoft has continued that work in the July release. The Windows 11 KB5101650 notes add support for SHA-2 certificate thumbprints for trusted RDP publishers, retain SHA-1 only for backward compatibility, and recommend that administrators move trusted publisher configurations to SHA-256 or stronger. Microsoft also published Group Policy guidance intended to let organizations control which RDP files users may open.
Those protections do not resolve CVE-2026-56171 by themselves. They address a separate but adjacent problem: users being persuaded to open hostile or untrusted RDP configuration files. Still, the overlap matters because RDP security is not just a server-patching exercise. It includes the integrity of connection files, the identity of remote hosts, redirection settings, gateway controls, authentication policy, and the client software used by administrators and end users.
The distinction affects triage. A confirmed information disclosure vulnerability requires patching and exposure review, but it does not automatically have the same urgency profile as a network-reachable RDP code-execution flaw. Conversely, an incomplete public advisory should not be read as reassurance: technical details often emerge after patches are available, when researchers and attackers can compare patched and unpatched binaries.
Microsoft has not indicated that CVE-2026-56171 is publicly disclosed or actively exploited. Until that status changes, organizations should avoid treating it as evidence of a live RDP campaign while still closing the patch gap promptly.
For now, July’s cumulative updates are the operational baseline, and RDP should remain behind layered access controls rather than exposed as a general-purpose internet service. If Microsoft expands the advisory with affected-product data, exploitability assessment, or proof-of-concept-related guidance, that will determine whether this becomes a routine patch-compliance item or a priority investigation across the Windows remote-access estate.
That lack of detail is itself important. The Microsoft Security Response Center has confirmed the vulnerability exists, yet has not publicly described the flaw’s root cause, affected Windows versions, CVSS score, attack prerequisites, or whether exploitation has been detected. There is no basis, at this stage, to characterize CVE-2026-56171 as a wormable RDP issue, a remote-code-execution flaw, or an active zero-day.
For Windows administrators, the immediate action is simpler: ensure July 2026 cumulative updates are deployed to systems that provide or initiate Remote Desktop sessions, then validate that RDP exposure and redirection policies still match the organization’s intended design.
A confirmed RDP flaw with an incomplete public profile
Microsoft classifies CVE-2026-56171 as an information disclosure vulnerability. In practical terms, that category means an attacker may be able to access data they should not be able to read. Depending on the underlying defect, disclosed data could range from application or protocol memory to configuration details or sensitive session material.But information disclosure is an impact category, not a complete risk assessment. A flaw that leaks limited non-sensitive memory under a highly authenticated scenario is a very different operational problem from one that permits an unauthenticated internet-based attacker to retrieve credential material. Microsoft has not supplied the details needed to distinguish those possibilities.
The advisory’s publication date also deserves attention. Microsoft’s July 2026 security updates arrived on July 14, while the CVE entry is dated July 16. That does not necessarily mean the vulnerability was fixed out of band, nor does it establish that every Windows servicing release contains the fix. Administrators should treat the Security Update Guide as the definitive mapping when Microsoft adds affected-product and update information.
Patch the Windows builds that carry your RDP estate
For client devices, Microsoft’s July cumulative updates include KB5101650 for Windows 11 version 24H2 and Windows 11 version 25H2. The resulting builds are 26100.8875 for Windows 11 24H2 and 26200.8875 for Windows 11 25H2.Windows 10 version 22H2 and Windows 10 Enterprise LTSC 2021 deployments received KB5099539, bringing the relevant builds to 19045.7548 and 19044.7548. Microsoft’s support documentation also directs organizations to the July 2026 Security Updates for the vulnerability-level record.
That is not a substitute for checking the individual CVE’s eventual product table. RDP has a wide footprint across Windows clients, Windows Server, Azure Virtual Desktop, Windows 365, and third-party remote-management workflows. The organization that only verifies laptops while leaving jump hosts, session hosts, management servers, and virtual-desktop images behind is not meaningfully reducing exposure.
The useful near-term checklist is short:
- Deploy the latest July 2026 security update for every supported Windows build that accepts or originates RDP connections.
- Confirm the installation on actual endpoints and servers rather than relying solely on WSUS, Intune, Configuration Manager, or RMM deployment status.
- Review RDP-enabled systems with direct internet exposure, particularly hosts listening on TCP 3389 without a VPN, RD Gateway, or equivalent access boundary.
- Keep Network Level Authentication enabled wherever application and legacy-client compatibility permits.
- Restrict clipboard, drive, printer, and device redirection to the minimum required for each remote-access role.
The RDP conversation has changed since April
CVE-2026-56171 lands after Microsoft’s April 2026 RDP security changes, which were aimed primarily at the abuse of.rdp connection files. Microsoft introduced more explicit warnings in Remote Desktop Connection when users open RDP files, with messaging around connection provenance and remote-session capabilities such as clipboard access.Microsoft has continued that work in the July release. The Windows 11 KB5101650 notes add support for SHA-2 certificate thumbprints for trusted RDP publishers, retain SHA-1 only for backward compatibility, and recommend that administrators move trusted publisher configurations to SHA-256 or stronger. Microsoft also published Group Policy guidance intended to let organizations control which RDP files users may open.
Those protections do not resolve CVE-2026-56171 by themselves. They address a separate but adjacent problem: users being persuaded to open hostile or untrusted RDP configuration files. Still, the overlap matters because RDP security is not just a server-patching exercise. It includes the integrity of connection files, the identity of remote hosts, redirection settings, gateway controls, authentication policy, and the client software used by administrators and end users.
Do not confuse this advisory with July’s RDP remote-code-execution issue
July’s Microsoft update set also includes CVE-2026-56190, a separate Windows RDP remote code execution vulnerability that security advisories have identified as a far more severe issue. That CVE and CVE-2026-56171 should not be merged into a single generic “RDP bug” ticket.The distinction affects triage. A confirmed information disclosure vulnerability requires patching and exposure review, but it does not automatically have the same urgency profile as a network-reachable RDP code-execution flaw. Conversely, an incomplete public advisory should not be read as reassurance: technical details often emerge after patches are available, when researchers and attackers can compare patched and unpatched binaries.
Microsoft has not indicated that CVE-2026-56171 is publicly disclosed or actively exploited. Until that status changes, organizations should avoid treating it as evidence of a live RDP campaign while still closing the patch gap promptly.
The next meaningful update is Microsoft’s technical expansion
The outstanding question is not whether CVE-2026-56171 is real; Microsoft’s publication settles that. The unanswered questions are which Windows releases are affected, what access an attacker needs, what information could be exposed, and exactly which servicing updates remediate the flaw.For now, July’s cumulative updates are the operational baseline, and RDP should remain behind layered access controls rather than exposed as a general-purpose internet service. If Microsoft expands the advisory with affected-product data, exploitability assessment, or proof-of-concept-related guidance, that will determine whether this becomes a routine patch-compliance item or a priority investigation across the Windows remote-access estate.
References
- Primary source: MSRC
Published: 2026-07-16T07:00:00-07:00
Loading…
msrc.microsoft.com - Official source: learn.microsoft.com
Understanding security warnings when opening Remote Desktop (RDP) files | Microsoft Learn
Learn how to interpret and respond to security warnings in the Remote Desktop Connection app.learn.microsoft.com