Security News Hackers Allegedly Selling Exploit for Windows Remote Desktop Services 0-Day Flaw

[Brownie2019]

Content source

https://cybersecuritynews.com/windows-remote-desktop-services-0-day/

A threat actor is allegedly selling a zero-day exploit for a Windows Remote Desktop Services privilege escalation vulnerability, tracked as CVE-2026-21533, for a staggering $220,000 on a dark web forum. This highly priced exploit targets improper privilege management to grant attackers local administrative control.
The underground cybersecurity community has observed a new high-stakes listing on a dark web forum, where a recently registered user named Kamirmassabi is auctioning an exploit for CVE-2026-21533.
The threat actor, who created their account on March 3, 2026, posted the listing in the “[Virology] – malware, exploits, bundles, AZ, crypt” section.
The advertisement spotted by Dark Web Informer explicitly labels the vulnerability as a “0day” and sets the purchase price at $220,000, requesting interested buyers to reach out via private messages for feedback and transactions.

Read more:

Hackers Allegedly Selling Exploit for Windows Remote Desktop Services 0-Day Flaw

A critical zero-day elevation of privilege vulnerability in Windows Remote Desktop Services (RDS), tracked as CVE-2026-21533, is reportedly being sold by a threat actor for $220,000.

cybersecuritynews.com

 

[ForgottenSeer 123960]

Executive Summary

Confirmed Facts
A zero-day elevation of privilege (EoP) vulnerability (CVE-2026-21533) in Windows Remote Desktop Services (RDS) is being actively exploited in the wild and auctioned by the threat actor "Kamirmassabi" for $220,000. The functional exploit alters a service configuration registry key to grant standard users full SYSTEM-level access.

Assessment
Because this vulnerability requires prior low-privileged local access, it is highly likely being utilized as a post-exploitation lateral movement tool within compromised enterprise networks rather than as an initial breach vector.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

TA0004
(Privilege Escalation)

T1543.000
(Create or Modify System Process: Windows Service).

CVE Profile
CVSSv3 7.8 (High)
CISA KEV Status: Active

Telemetry

Threat Actor
"Kamirmassabi"

Target Build Example
"10.0.26100.32370"
(Windows Server 2025)

Delivery Vector
Origin: Insufficient Evidence.
(Relies strictly on pre-existing local access) .

Payload
File size and container are Unknown. The structure suggests an executable binary designed to overwrite RDS service registry configurations.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

Command
Execute the following incident response functions immediately.

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate emergency patch management protocols for the February 2026 updates, prioritizing all internet-facing and critical server infrastructure.

DETECT (DE) – Monitoring & Analysis

Command
Query EDR and SIEM for anomalous modifications to Remote Desktop service configuration registry keys.

Command
Alert on any unauthorized additions of local users to the Administrators group.

RESPOND (RS) – Mitigation & Containment

Command
Disable Remote Desktop Services (RDS) completely on endpoints where it is not strictly required.

Command
Isolate any host exhibiting successful registry overwrite signatures.

RECOVER (RC) – Restoration & Trust

Command
Revert unauthorized registry modifications to known-good baselines and purge unauthorized administrative accounts before reintroducing isolated hosts to the domain.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Restrict all RDP access exclusively to trusted internal networks or VPNs.

Command
Ensure compliance with CISA BOD 22-01 guidance for cloud services.

Remediation - THE HOME USER TRACK (Safety Focus)

Environmental Constraint
Windows Home editions do not natively support inbound Remote Desktop Protocol hosting by default. Therefore, the threat level for standard home users is downgraded to "Theoretical/Low" unless third-party RDP wrappers have been manually installed or the system is already compromised by malware operating locally.

Priority 1: Safety

Command
Ensure Windows Automatic Updates are enabled to receive the February 2026 Security Updates.

Priority 2: Identity

Command
Do not approve unexpected UAC (User Account Control) prompts, as the exploit requires local execution.

Priority 3: Persistence

Command
Check system accounts (via net user) for any newly created, unrecognized administrative users.

Hardening & References

Baseline
CIS Benchmarks for Windows Server / Windows 11 (Focus on RDP Service Hardening).

Framework
NIST CSF 2.0 / SP 800-61r3.

Reference
Microsoft Patch Tuesday February 2026 Release (CVE-2026-21533).

Source

Cyber Security News