CVE-2026-57982: July Updates Fix Windows RDP Data Leak

Microsoft has released fixes for CVE-2026-57982, a Windows Remote Desktop Protocol information-disclosure vulnerability that could allow an authenticated, low-privileged attacker to retrieve data over the network. The flaw is rated 6.5 out of 10 under CVSS 3.1—Medium severity—but it lands in a service that many organizations deliberately expose to administrators, help desks, vendors, and remote workers.
Microsoft’s Security Update Guide published the advisory on July 14, 2026. The vendor describes the underlying weakness as use of an uninitialized resource in Windows RDP, tracked as CWE-908. NIST’s National Vulnerability Database has mirrored Microsoft’s record but says it is still awaiting its own enrichment.
The immediate action is straightforward: deploy the July 2026 cumulative update appropriate to each supported Windows release, then validate that RDP is restricted to the people and networks intended to use it. This is not a reason to turn off remote administration wholesale, but it is a useful prompt to treat RDP exposure and account permissions as one combined control.

Cybersecurity diagram showing secure remote desktop access, CVE threat protection, MFA, and Windows enterprise systems.The vulnerability needs access, but not user interaction​

Microsoft’s vector for CVE-2026-57982 is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, the attack can be performed over a network with low complexity and no victim action, but the attacker must already hold low-level privileges.
That distinction matters. This is not described as a pre-authentication RDP takeover, a wormable flaw, or a remote-code-execution bug. It does not directly alter data or take a machine offline. Instead, successful exploitation carries a high confidentiality impact: information that should not be disclosed could become visible to an attacker who is already able to authenticate at a low privilege level.
For Windows administrators, the realistic risk question is therefore not merely, “Is TCP 3389 open?” It is also: who can establish an RDP session, what accounts can do so, how are those accounts protected, and what sensitive data is reachable inside that session?
Microsoft’s temporal scoring also lists the exploit-code maturity as Unproven. The advisory does not identify a public proof of concept or active exploitation. That is meaningful context, but it should not become a reason to defer indefinitely: patch availability gives defenders a clear remediation path, and RDP remains a routinely scrutinized entry point in enterprise environments.

July’s cumulative updates carry the fix​

Microsoft’s affected-product list is broad. It includes current Windows 11 client releases, Windows 10 long-term and Extended Security Update scenarios, and Windows Server releases reaching back to Windows Server 2012 and 2012 R2.
The major July 14 update targets include:
  • Windows 11 version 24H2 and version 25H2 receive KB5101650, bringing systems to OS Builds 26100.8875 and 26200.8875 respectively.
  • Windows 10 version 21H2 and version 22H2 receive KB5099539, reaching OS Builds 19044.7548 and 19045.7548 for supported ESU and LTSC scenarios.
  • Windows Server 2025 receives KB5099536, OS Build 26100.33158.
  • Windows Server 2022 receives KB5099540, OS Build 20348.5386.
The Security Update Guide also identifies Windows 11 version 26H1 as affected before Build 28000.2525, along with Windows 10 version 1607 and 1809, Windows Server 2016, Windows Server 2019, and the older Windows Server 2012-family releases. Organizations with long-lived infrastructure should not treat this as a Windows 11-only issue.
Patch verification should use the installed OS build rather than merely confirming that a machine has recently checked Windows Update. On a client or server, winver provides a quick visual check; inventory platforms should report the cumulative update or build revision. WSUS, Microsoft Configuration Manager, Intune, and endpoint-management tools should be checked for successful installation rather than approval status alone.
Microsoft’s support documentation says the cumulative updates are available through Windows Update, Windows Update for Business, Microsoft Update Catalog, and Windows Server Update Services. For offline image servicing and controlled deployment rings, administrators should follow the prerequisites and package-order guidance in the respective KB article.

RDP exposure is the bigger operational variable​

CVE-2026-57982 requires an authorized attacker, which makes identity controls central to the response. A workstation with Remote Desktop disabled or inaccessible from an attacker’s network is in a very different risk position from a shared server reachable through a broad VPN group, a flat internal network, or—worst of all—the public internet.
Start by locating systems actually listening for Remote Desktop connections. The presence of the Remote Desktop Services service alone is not proof of exposure, but it is a useful inventory signal. On an individual system, administrators can check whether port 3389 is listening and review Windows Defender Firewall rules. At scale, network telemetry and vulnerability-scanning data will reveal the systems that matter most.
The priority group is usually clear:
  • Internet-facing RDP hosts and remote-access gateways should be patched on an accelerated schedule and checked for unnecessary direct exposure.
  • Jump servers, domain-adjacent management servers, virtual desktop infrastructure hosts, and vendor-support endpoints deserve priority because a low-privileged authenticated session may still have access to valuable operational data.
  • Legacy Windows Server systems should be checked against their servicing entitlement, particularly where Extended Security Updates determine whether the July package is available.
Network Level Authentication remains important because this vulnerability already requires authentication; NLA helps ensure a session is authenticated before a full Remote Desktop connection is established. But NLA is not a substitute for installing the fix. Likewise, multi-factor authentication on a Remote Desktop Gateway or through a privileged-access workflow reduces the likelihood of stolen credentials becoming the required “low privileges” in Microsoft’s attack scenario, but it does not remove the vulnerable code from an unpatched host.
Least privilege is equally relevant. Remove stale accounts from the local Remote Desktop Users group, keep administrative Remote Desktop rights narrow, separate standard user and administrative identities, and review service accounts that may have interactive logon rights. In an RDP issue where confidentiality is the stated impact, data access inside the session can be as consequential as access to the session itself.

The patch has a compatibility consideration​

The July 14 updates do more than fix security vulnerabilities. Microsoft has documented a networking hardening change that enforces Transport Driver Interface transport-registration requirements. The company warns that applications using sockets over unregistered third-party TDI transports might stop working after installation.
That warning is especially relevant to older line-of-business software, custom network products, and environments with long-lived endpoint or protocol components. Registered TDI transports are not affected, according to Microsoft, but a cautious enterprise rollout should include representative testing where unusual networking software is in use.
There are also RDP-related changes in the July updates: Microsoft is adding SHA-2 certificate-thumbprint support for trusted RDP publishers while retaining SHA-1 only for backward compatibility. The company recommends moving trusted publisher configurations to SHA-256 or stronger. That change is separate from CVE-2026-57982, yet the timing makes July an appropriate month to inventory old RDP file-signing and publisher trust practices.
For most estates, the response should be a normal but prompt security deployment, accelerated for exposed RDP servers and systems handling sensitive workloads. The unresolved variable is whether public exploit development follows the advisory; until then, the decisive milestone is simple: systems should be at the July 14, 2026 cumulative-update level or later, with RDP access limited to the smallest practical set of authenticated users and networks.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top