Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
6DescriptionCVE.org
Insufficient ui warning of dangerous operations in Windows Remote Desktop allows an unauthorized attacker to perform spoofing over a network.
AnalysisAI
Windows Remote Desktop spoofing vulnerability allows remote unauthenticated attackers to bypass security warnings and trick users into accepting malicious RDP connections, potentially exposing sensitive session data. Affects all supported Windows 10, 11, and Server versions from 2012 through 2025. Vendor-released patches are available. No public exploit identified at time of analysis, though the low attack complexity (AC:L) and network attack vector (AV:N) indicate exploitation would be straight
Technical ContextAI
This vulnerability stems from CWE-357 (Insufficient UI Warning of Dangerous Operations) in the Windows Remote Desktop Protocol (RDP) client implementation. RDP is Microsoft's proprietary protocol for remote graphical desktop connections, operating typically on TCP port 3389. The flaw occurs when the RDP client fails to adequately warn users about potentially dangerous connection operations, such as accepting certificates from untrusted sources or connecting to spoofed RDP servers. This UI/UX security weakness allows attackers to craft malicious RDP connection requests that appear legitimate to end users, bypassing critical security notifications that would normally alert users to potential man-in-the-middle attacks or rogue server connections. The affected component spans the entire Windows ecosystem, from legacy Server 2012 (build 6.2.9600.0) through the latest Windows 11 26H1 and Server 2025 releases, indicating a long-standing design flaw in the RDP client warning mechanism.
RemediationAI
Apply vendor-released security updates immediately through Windows Update or WSUS. Patch to the following minimum versions: Windows 10 1607/Server 2016 to build 10.0.14393.9060 or later, Windows 10 1809/Server 2019 to 10.0.17763.8644 or later, Windows 10 21H2 to 10.0.19044.7184 or later, Windows 10 22H2 to 10.0.19045.7184 or later, Windows 11 22H3/23H2 to 10.0.22631.6936 or later, Windows 11 24H2/Server 2025 to 10.0.26100.32690 or later, Windows 11 25H2 to 10.0.26200.8246 or later, Windows 11 26H1 to 10.0.28000.1836 or later, Windows Server 2012 to 6.2.9200.26026 or later, Windows Server 2012 R2 to 6.3.9600.23132 or later, and Windows Server 2022 23H2 to 10.0.25398.2274 or later. As interim mitigation, enforce strict certificate validation policies via Group Policy, restrict RDP client usage to trusted networks through firewall rules, and implement user awareness training to recognize suspicious RDP connection prompts. Detailed patch guidance is available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26151.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22372
GHSA-wgw8-32pr-g2q8