Micropatches released for Remote Desktop Client Remote Code Execution Vulnerability (CVE-2026-47289)

June 2026 Windows Updates brought a patch for CVE-2026-47289, a remote code execution vulnerability in Remote Desktop Client, allowing a malicious RDP server to cause memory corruption in connecting RDP client, potentially leading to code execution.
The vulnerability was found internally by Microsoft engineer Raymond Reskusich. We recreated a POC from the official patch, which allowed us to reproduce the issue and create patches for legacy Windows users.
The Vulnerability
The vulnerability lies in the client's handling of the RDP "standard security" path, also called RDP Security Layer. When a client connects to a server that uses this legacy security layer (rather than TLS / Enhanced RDP Security), it validates the server certificate's signature and then uses the public key to encrypt the client random seed for the RDP session keys. A malicious server can provide a certificate with a malformed public-key blob that passes validation but causes memory corruption.
Microsoft's Patch
Microsoft fixed this issue by correctly validating the server's certificate.
Our Patch
Our patch is logically identical to Microsoft's.
Let's see our patch in action. With 0patch disabled, Remote Desktop Client (computer on the left) connects to a "malicious" RDP server (computer on the right), and immediately crashes due to memory corruption.
With 0patch enabled, Remote Desktop Client does not crash.
Micropatch Availability
Micropatches were written for the following security-adopted Windows versions:
Windows 11 v22H2 - fully updated
Windows 11 v21H2 - fully updated
Windows 10 v22H2 - fully updated
Windows 10 v21H2 - fully updated
Windows 10 v21H1 - fully updated
Windows 10 v20H2 - fully updated
Windows 10 v2004 - fully updated
Windows 10 v1909 - fully updated
Windows 10 v1809 - fully updated
Windows 10 v1803 - fully updated
Windows 7 - fully updated with no ESU, with ESU 1, ESU 2 or ESU 3
Windows Server 2008 R2 - fully updated with no ESU, with ESU 1, ESU 2, ESU 3 or ESU 4
Windows Server 2012 - fully updated with no ESU, with ESU 1 or ESU 2
Windows Server 2012 R2 - fully updated with no ESU, with ESU 1 or ESU 2
Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).
Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.
We'd like to thank Raymond Reskusich for finding this vulnerability and having it patched, which allowed us to create patches for Windows versions that are no longer receiving official updates from Microsoft.
If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.
Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support in October 2025, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here.
To learn more about 0patch, please visit our Help Center.