Share via

Windows Remote Desktop Services (RDS) Privilege Escalation Vulnerability

xin guo 20 Reputation points
2026-03-31T00:58:18.7766667+00:00

Version: server 20216

All patch packages are required

Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
0 comments
Answer accepted by question author
  1. Q&A Assist
    2026-03-31T00:58:31.8866667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    For Remote Desktop Services (RDS) privilege escalation and remote code execution vulnerabilities on Windows Server, protection is provided by installing the corresponding security updates (patch packages) for each bulletin that affects RDS/RDP.

    From the available information, the following RDS/RDP-related vulnerabilities and updates are relevant:

    1. MS11-061 – Remote Desktop Web Access elevation of privilege
      Applies to Windows Server 2008 R2 editions. The fix is provided via the MS11-061 security update. For affected systems, install the update from Microsoft Update or the security bulletin page.
    2. MS12-020 – Vulnerabilities in Remote Desktop could allow remote code execution
      Applies to Windows Server 2008/2008 R2 and earlier client OS versions. Systems with RDP enabled must install the MS12-020 security update from Microsoft Update or the MS12-020 bulletin.
    3. MS15-067 – Vulnerability in RDP could allow remote code execution
      Applies to Windows Server 2012 and Windows 7/8. The update resolves an RDP remote code execution vulnerability when the RDP server service is enabled. Install the MS15-067 update (KB listed in the bulletin) on all affected servers and clients. Systems without the RDP server service enabled are not at risk from this specific issue.
    4. MS16-007 – Windows Remote Desktop Protocol Security Bypass (CVE-2016-0019)
      Affects Windows 10 hosts running RDP services. The update enforces the default behavior of blocking remote logon for accounts without passwords. Install the MS16-007 update on affected Windows 10 systems.
    5. MS16-017 – RDP Elevation of Privilege (CVE-2016-0036)
      Applies to Windows Server 2012, Windows Server 2012 R2, and Windows 8.1/10. The security update (e.g., KB3126446 for Server 2012/2012 R2) replaces earlier RDP-related updates (such as those from MS15-067 or MS15-030). Install the MS16-017 update appropriate for the OS version.
    6. CVE-2019-0708 – Remote Desktop Services Remote Code Execution (“BlueKeep”)
      Applies to older platforms such as Windows Server 2003 and Windows Vista. Protection is provided by installing the specific security updates listed (for example, KB4500331 for Windows Server 2003 R2 x64, KB4499180 for Windows Vista SP2/x64). These updates are available via the Microsoft Update Catalog.

    For a Windows Server environment:

    • Identify the exact OS version and edition (for example, Windows Server 2012, 2012 R2, 2016, etc.).
    • For each OS version, install all RDS/RDP-related security updates corresponding to the bulletins above that list that OS as affected.
    • Ensure prerequisite updates (such as KB2919355 for Windows 8.1/Server 2012 R2) are installed where required so that later security updates can be applied.
    • If RDP/RDS is enabled, treat these updates as critical and deploy them through Windows Update, WSUS, or other patch management tools.

    For detailed per-OS package lists and download links, use the security bulletin pages referenced below and the Microsoft Update Catalog entries they point to.

    References:

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harry Phan 17,050 Reputation points Independent Advisor
    2026-03-31T01:25:57.9033333+00:00

    Hi xin guo,

    The Remote Desktop Services (RDS) privilege escalation vulnerability affecting Windows Server 2016 is tracked as CVE‑2026‑21533. Microsoft released the official fix in the February 2026 Patch Tuesday cumulative updates, and installing the latest monthly rollup or security‑only package is mandatory to fully mitigate the issue.

    You need to apply the February 2026 security updates for Windows Server 2016, which contain the patch for CVE‑2026‑21533. This vulnerability allows local attackers to escalate privileges to SYSTEM due to improper privilege management in RDS. Microsoft classifies it as “Important” with a CVSS score of 7.8, and exploitation has already been observed in the wild, so delaying patching is risky. The relevant KB packages are listed in the Microsoft Security Update Guide, and for Server 2016 you should install the cumulative update KB5034803 (February 2026) or any later rollup, since subsequent monthly updates are supersets and include the fix. If you are running RDS in production, ensure all RDS hosts, Connection Brokers, and Session Hosts are patched consistently. After patching, confirm the update is applied by checking winver and verifying KB5034803 (or later) is listed under Control Panel > Programs and Features > Installed Updates. If WSUS or SCCM is in use, synchronize with Microsoft Update Catalog to deploy the patch across all servers.

    If you have strict change control, test the patch in a staging environment first, but do not postpone rollout beyond your next maintenance window. There are no supported workarounds other than applying the official Microsoft patch.

    Let me know you need further assistant, please feel free to hit accept answer if you find this information helpful to you.

    Harry.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.