A zero-day vulnerability targeting Microsoft Windows is reportedly being sold on a dark web hacking forum for $220,000. The exploit takes advantage of a flaw in the Windows Remote Desktop Service, enabling a low-privileged user to escalate privileges and gain full administrative control of the affected system. The vulnerability was initially disclosed by Microsoft in February 2026, and was later discovered being marketed privately on a dark web marketplace, raising serious concerns about potential exploitation in the wild.
Understanding the Exploit
The Remote Desktop (RD) service vulnerability, officially tracked as CVE-2026-21533, was first revealed by Microsoft on February 10 alongside a patch designed to fix the flaw. The vulnerability primarily affects versions of Windows 11, Windows 10, and Windows Server 2012 & 2016. Microsoft classified the issue as high severity, noting that it was already being actively exploited despite remaining unknown to the general public at the time of disclosure.
To compromise a system using this flaw, an attacker must first obtain minimal, unprivileged access to the target machine. Without this initial foothold, the attack cannot proceed. This requirement can be satisfied through unprivileged user logins or RDP access, or by executing a malicious payload injector directly on the system. Disguised within infected software or embedded in malicious email attachments, such payloads can run without administrator privileges, detect the presence of the vulnerable Remote Desktop service, and then leverage the flaw to escalate privileges and gain broader system access.
The exploit works because the Remote Desktop (RD) service fails to properly validate the authority of the calling actor. As a result, a low-privileged session can trigger the service to execute instructions using the service’s own SYSTEM-level authority. In practical terms, the service effectively becomes a privileged proxy, performing restricted administrative registry writes on behalf of a user who would normally not have permission to carry out those actions.
Spotted in the Wild
Despite being announced and patched by Microsoft exactly a month ago, the flaw has made headlines once again after being spotted for sale on a darknet hacking forum. The forum user going by the name "Kamirmassabi" is reportedly asking $220,000 in exchange for the vulnerability. The listing along with its price suggest that these threat actors are banking on corporations and operators of critical systems not being fully up to date with security patches, allowing the vulnerability to remain exploitable.
Staying Secured
As of now, there are two crucial ways to mitigate this flaw, with one serving as a more temporary measure. First, as mentioned earlier, the vulnerability has already been fully patched, meaning that updating any vulnerable systems is the most effective solution. If updating is not immediately possible, or a quick interim fix is needed, users are advised to completely disable the Remote Desktop Service, especially on systems where it is not actively used.
0 Comments