EUVD-2026-35700
GHSA-997j-4mpr-699r
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
AnalysisAI
Heap-based buffer overflow in Microsoft Remote Desktop Client enables remote code execution when a user connects to a malicious RDP server, with the attacker gaining the same privileges as the connecting user. The CVSS 8.8 score reflects network-reachable exploitation requiring only minimal user interaction (initiating an RDP session), and no public exploit has been identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to initiate an RDP session from a vulnerable Remote Desktop Client to an attacker-controlled or compromised RDP server (UI:R in the CVSS vector); the attacker does not need any prior credentials on the victim machine (PR:N) and the network vector (AV:N) is satisfied as soon as the client establishes the outbound RDP connection. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H indicates network-reachable, low-complexity exploitation with no prior authentication but requiring user interaction, yielding high impact across confidentiality, integrity, and availability - a base score of 8.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker stands up a malicious RDP server and lures a target - via a phishing email containing a crafted .rdp file, a malicious link, or a compromised internal jump host - into initiating an outbound RDP connection. During the protocol handshake or subsequent channel negotiation, the server returns malformed structures that overflow a heap buffer in the client, leading to code execution in the user's session, after which the attacker can steal credentials, pivot internally, or stage further payloads. … |
| Remediation | Patch availability is indicated by the linked MSRC update guide entry but no specific fixed build is enumerated in the supplied data - treat this as 'Patch available per vendor advisory' and retrieve the exact fixed versions and KB numbers from https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47289, then deploy through Windows Update, WSUS, or Intune/SCCM as appropriate to all endpoints running the Remote Desktop Client. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running Microsoft Remote Desktop Client and audit which employees require RDP access; disable RDP on systems where it is not business-critical and restrict remaining RDP access to trusted internal networks via firewall rules. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today