CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 10, 2026

Windows RDP Vulnerabilities Allow Attacker to Expose Sensitive Data

Cybersecurity News Archived Jun 10, 2026 ✓ Full text saved

Windows systems are impacted by two new Remote Desktop Protocol (RDP) information disclosure vulnerabilities, CVE-2026-42908 and CVE-2026-45639. Both issues were resolved in Microsoft’s security updates released on June 9, 2026. Both flaws stem from out-of-bounds reads in the RDP stack and are rated Important, with a CVSS v3 base score of 7.5. Windows Remote Desktop Protocol Vulnerabilities […] The post Windows RDP Vulnerabilities Allow Attacker to Expose Sensitive Data appeared first on Cyber S

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Windows RDP Vulnerabilities Allow Attacker to Expose Sensitive Data By Abinaya June 10, 2026 Windows systems are impacted by two new Remote Desktop Protocol (RDP) information disclosure vulnerabilities, CVE-2026-42908 and CVE-2026-45639. Both issues were resolved in Microsoft’s security updates released on June 9, 2026. Both flaws stem from out-of-bounds reads in the RDP stack and are rated Important, with a CVSS v3 base score of 7.5. Windows Remote Desktop Protocol Vulnerabilities Microsoft describes CVE-2026-42908 and CVE-2026-45639 as information disclosure vulnerabilities in Windows Remote Desktop Protocol caused by an out-of-bounds read condition. An unauthenticated attacker can exploit these bugs remotely over the network without any user interaction, which is reflected in the CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. Although both issues are “only” information disclosure, they expose sensitive memory contents that can be chained with other vulnerabilities to enable more impactful attacks, such as remote code execution or sandbox escape. Microsoft currently assesses exploitation as “Less Likely,” and there is no public exploit or evidence of in-the-wild abuse at the time of release. According to Microsoft’s advisory, successful exploitation of CVE-2026-42908 can reveal local memory addresses, significantly weakening modern exploit mitigations such as ASLR. For CVE-2026-45639, an attacker may be able to read portions of process memory, potentially leaking credentials, session tokens, or protocol state data depending on what resides in the targeted memory region. The bugs affect a broad set of Windows client and server releases where RDP is available, including Windows 10 (21H2, 22H2, 1607, 1809), Windows 11 (23H2, 24H2, 25H2, 26H1), and Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025, as well as the Remote Desktop client/Windows App client for Windows Desktop. All impacted products receive patches as part of the June 9, 2026, Patch Tuesday rollout. Both CVEs are associated with CWE-125, Out-of-bounds Read, indicating that the vulnerable RDP component reads data past the bounds of an allocated buffer. In practice, this means crafted RDP traffic can cause the service to return data from adjacent memory regions instead of only the expected protocol data. Because the vulnerabilities are reachable pre-authentication over the network, they raise particular concern for internet-exposed RDP endpoints and multi-tenant environments where one tenant might attempt cross-tenant information leakage via shared infrastructure. While there is no integrity or availability impact, the high confidentiality impact makes these bugs valuable for attackers building reliable exploit chains. Microsoft has shipped official fixes, and the recommended remediation is to apply the June 9, 2026 security updates or the related cumulative/rollup packages for each affected Windows version and RDP client build. Administrators should prioritize systems that expose RDP over the internet and critical backend servers where memory disclosures could aid lateral movement or privilege escalation. As a general hardening, organizations should restrict RDP access behind VPNs or bastion hosts, enforce strong authentication, and monitor for unusual RDP connection patterns. At the same time, the community continues to analyze these patches for potential exploit primitives. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now Comodo Internet Security 0-Day Vulnerability Lets Attacker Crash the User’s Windows System Critical Veeam Vulnerability Allows RCE Attacks on Backup Servers Microsoft Defender Now Monitors RPC Protocol Abuse by Hackers Critical Redis RCE Vulnerability Enable Attackers to Gain Complete Control to Host Server Latest News Cyber Security News Critical OpenSSL Vulnerabilities Enable Remote Code Execution Attacks Press Release Cloud Security Report Finds Fragmented Tools Widening the Cloud Complexity Gap Cyber Security News 73 Microsoft Packages Weaponized to Deploy Password Stealer Malware Cyber Security News Hackers Deploy MLTBackdoor Malware via Multi-Stage ClickFix Infection Chain Cyber Security News Hackers Abuse TikTok and Instagram Reels to Spread Malware via Fake Free Software Tutorials
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 10, 2026
    Archived
    Jun 10, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗