Skip to main content

Microsoft CVE-2026-21533

HIGH
Improper Privilege Management (CWE-269)
2026-02-10 secure@microsoft.com
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Added to CISA KEV
Mar 30, 2026 - 13:27 cisa
CISA KEV
PoC Detected
Mar 30, 2026 - 13:27 vuln.today
Public exploit code
Analysis Generated
Mar 12, 2026 - 22:02 vuln.today
CVE Published
Feb 10, 2026 - 18:16 nvd
HIGH 7.8

DescriptionCVE.org

Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate privileges locally.

AnalysisAI

Windows Remote Desktop contains an improper privilege management vulnerability (CVE-2026-21533, CVSS 7.8) enabling authorized local attackers to escalate to SYSTEM. KEV-listed, this vulnerability in the RDP subsystem is particularly concerning in environments where Remote Desktop is widely used, as it can be chained with RDP session access for complete system compromise.

Technical ContextAI

The Remote Desktop subsystem in Windows improperly manages privileges for certain operations, allowing an authorized user to escalate to SYSTEM. In environments using Remote Desktop Services, this vulnerability is particularly impactful because any user with RDP access can potentially achieve full system control. The vulnerability is local but RDP provides the remote access vector.

RemediationAI

Apply Microsoft security update. Enforce NLA (Network Level Authentication) for RDP. Implement MFA for RDP access. Restrict RDP access to required users only. Monitor for privilege escalation following RDP sessions.

Share

CVE-2026-21533 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy