CVE-2026-58594: Patch Windows RDP Client RCE in July 2026

Microsoft’s July 14, 2026 security updates fix CVE-2026-58594, a Remote Desktop Client remote code execution vulnerability that can let an unauthenticated attacker run code on a Windows machine after persuading a user to initiate a malicious RDP connection. The issue is rated Important with a CVSS 3.1 score of 8.8, and it affects a long list of supported Windows client and server releases, including Windows 10, Windows 11, and Windows Server.
Microsoft’s advisory identifies the root cause as an integer overflow or wraparound flaw in Windows RDP processing. The National Vulnerability Database reproduces Microsoft’s description: an unauthorized attacker can execute code over a network. That language matters, but so does the CVSS vector: exploitation has low attack complexity and requires no attacker privileges, yet it does require user interaction.
For administrators, the immediate action is straightforward: deploy the July 2026 cumulative security updates through Windows Update, Windows Server Update Services, Microsoft Configuration Manager, Intune, or the Microsoft Update Catalog. This is a client-side RDP issue, not the classic scenario of an internet-exposed RDP server being directly attacked by an unauthenticated scanner.

Cybersecurity scene showing a Windows computer, protective shield, phishing hook, warning symbol, and server racks.A malicious RDP destination is the likely trigger​

“Remote Desktop Client” is the crucial part of the advisory’s title. The vulnerable component is on the system making an RDP connection, rather than necessarily the endpoint accepting one. In practical terms, a threat actor would need to get a target to connect with the built-in Remote Desktop Connection client or another affected Windows RDP client path to an attacker-controlled service.
That can happen through a phishing message containing an .rdp file, a link to a supposed helpdesk workstation, a fake remote-support session, or a compromised server already trusted by a user. The published scoring does not establish the exact delivery method, and Microsoft has not publicly released a proof of concept or technical exploit sequence. Still, the combination of network reachability and required user interaction is consistent with a malicious remote endpoint supplying crafted RDP protocol data after the connection begins.
This distinction should keep response teams from misclassifying CVE-2026-58594 as a BlueKeep-style emergency. It is not described as wormable, and the available data does not say that a machine merely listening on TCP port 3389 is enough to trigger the flaw. The risk sits instead with employees, administrators, helpdesk staff, and contractors who routinely use Remote Desktop to reach unfamiliar or externally hosted systems.
The CVSS vector assigns high impacts to confidentiality, integrity, and availability. If successfully exploited, the flaw could therefore give an attacker control in the security context of the RDP client user. That is particularly concerning on privileged administration workstations, jump boxes, and servers where administrators use Remote Desktop with elevated accounts.

July’s cumulative updates carry the fix​

Microsoft published CVE-2026-58594 on July 14 as part of its July 2026 security release. The affected-product record includes Windows 10 version 1607 and later supported servicing branches, Windows 11 versions 24H2, 25H2, and 26H1, plus Windows Server 2012 through Windows Server 2025, including Server Core installations where listed.
Some of the minimum fixed build numbers disclosed through Microsoft’s CVE data are useful for validation:
  • Windows 10 version 21H2 reaches the fixed level at OS Build 19044.7548.
  • Windows 10 version 22H2 reaches the fixed level at OS Build 19045.7548.
  • Windows 11 version 24H2 reaches the fixed level at OS Build 26100.8875.
  • Windows 11 version 26H1 reaches the fixed level at OS Build 28000.2525.
  • Windows Server 2025 reaches the fixed level at OS Build 26100.33158.
For Windows 10 Extended Security Updates and LTSC deployments, Microsoft’s July 14 package is KB5099539, which raises Windows 10 version 22H2 to build 19045.7548 and version 21H2 to build 19044.7548. Windows 11 24H2 and 25H2 received the July package KB5101650, with build numbers varying by release branch.
Administrators should validate the installed OS build, not merely whether a monthly update appears in a deployment console as approved. Devices can remain exposed if an update is pending restart, superseded by an incomplete servicing stack operation, or blocked by a known installation failure. Endpoint-management reports should also account for Windows Server systems, where Remote Desktop use is often more concentrated and more privileged.

No known exploitation is good news, not a mitigation​

Microsoft’s advisory says exploitation is not known publicly, and CISA’s Stakeholder-Specific Vulnerability Categorization data currently records exploitation as “none.” CISA also marks the flaw as not automatable, while assigning “total” technical impact if exploitation succeeds.
That is a meaningful reduction in immediate urgency compared with a vulnerability being actively exploited in the wild, but it should not be read as a reason to defer the update indefinitely. Microsoft has confirmed the vulnerability, identified its class as CWE-190 integer overflow or wraparound, and provided a patch. The information available to attackers is limited today; every newly published CVE, patch diff, and affected-build list can make research easier over time.
The NVD has not yet completed its own enrichment of the record. Its current entry relies on Microsoft’s CVSS assessment rather than an independent NVD score. That is normal for a disclosure published only a day earlier, and it means defenders should resist filling gaps in the public record with assumptions about exploitability, required RDP configuration, or exact vulnerable code paths.
The priority is highest for systems where users can make RDP connections to third-party infrastructure and where those users hold local administrator, domain administrator, cloud administrator, or helpdesk privileges. A hardened PAW is not much of a privileged access workstation if its operator can be tricked into connecting to an attacker-controlled remote desktop host before patches are installed.

RDP file controls remain worth checking​

CVE-2026-58594 arrives only months after Microsoft added more explicit RDP-file safety prompts in the April 2026 security updates. Microsoft’s Remote Desktop documentation says the updated Remote Desktop Connection experience displays the remote address and presents requested local-resource redirections before a connection is made. Drive, clipboard, smart-card, Windows Hello for Business, WebAuthn, printer, camera, and device redirection can all materially change the exposure of a remote session.
Those prompts do not patch the integer-overflow bug. They do, however, reduce the chance that a user casually opens an unexpected RDP file and shares local resources with an unfamiliar system. Organizations should treat the two controls as complementary: patch the client to eliminate the code-execution condition, then use policy and user training to reduce unsafe connection attempts.
A sensible short-term response includes reviewing whether .rdp files are delivered by email, whether users are trained to verify remote destinations out of band, and whether privileged staff use separate accounts or separate workstations for remote administration. Signed RDP files offer publisher identity information, but Microsoft also warns that a signature alone is not proof that a connection is safe.
The near-term test for IT teams is simple: confirm that July’s cumulative update is installed across the fleet, especially on admin endpoints and shared support devices. Until Microsoft publishes deeper technical detail, the clearest risk boundary is equally simple: do not let an unpatched Windows RDP client connect privileged users to destinations they do not already trust.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: learn.microsoft.com
 

Back
Top