On July 14, 2026, Microsoft plugged a vulnerability in the Windows Remote Desktop client that could allow an attacker to read data from a PC the moment it connects to a malicious server. The flaw, tracked as CVE-2026-58539, affects every supported version of Windows 10, Windows 11, and Windows Server. The fix arrived inside the regular Patch Tuesday cumulative updates, making it a straightforward deployment for anyone who doesn’t delay monthly security patches.

What just happened

Microsoft’s July 14 security updates resolved an out-of-bounds read in how the built-in Remote Desktop Connection application (mstsc.exe) processes certain data during a connection. An attacker who can convince someone to connect to a rigged Remote Desktop server could exploit the bug to read confidential information from the victim’s machine. The company classified the problem as an information disclosure vulnerability and gave it an “Important” severity rating with a CVSS 3.1 score of 6.5.

The National Vulnerability Database entry for CVE-2026-58539 spells out the mechanics: the attack is network-reachable, requires low complexity, and demands no special privileges, but it does hinge on user interaction. In plain language, a crook can’t scan the internet and automatically break into millions of PCs. They need a person to initiate a Remote Desktop session with a server the attacker controls, often by opening a booby-trapped .rdp file or clicking a link that launches an untrusted connection.

Here are the Windows versions that need the fix, and the minimum build number that contains the patch:

Product family Patched build level
Windows 11, version 24H2 26100.8875
Windows 11, version 25H2 26200.8875
Windows 11, version 26H1 28000.2525
Windows 10, version 22H2 19045.7548
Windows 10, version 21H2 19044.7548
Windows 10 / Server, version 1607 14393.9339
Windows 10 / Server, version 1809 17763.9020
Windows Server 2022 20348.5386
Windows Server 2025 26100.33158
Windows Server 2012 / 2012 R2 9200.26226 and 9600.23291

For most Windows 11 users, the update arrives as KB5101650, which advances the 24H2 build to 26100.8875 and the 25H2 build to 26200.8875. Windows 10 devices on the Extended Security Updates or LTSC tracks should look for KB5099539, while Server 2022 admins will want KB5099540. The patches are available through Windows Update, Windows Update for Business, WSUS, and the Microsoft Update Catalog.

Who needs to act

Home users. If you use the Remote Desktop app to access another computer, install the July cumulative update as soon as possible. Windows Update usually downloads and installs it automatically by default, so check that you’re up to date by going to Settings > Windows Update and clicking “Check for updates.” After rebooting, you can verify your build number matches the patched level listed above.

IT administrators. This isn’t a server-side exploit that requires you to take Remote Desktop Services offline or reconfigure firewalls in a panic. The danger sits on the client side—on laptops, desktops, admin jump boxes, and help-desk workstations that initiate Remote Desktop sessions. A patched server doesn’t protect an unpatched client that connects to an attacker-controlled endpoint.

Treat this vulnerability as an endpoint-patching priority. Even unmanaged or BYOD Windows devices that launch RDP connections are at risk. Include Remote Desktop usage in your compliance reports, especially for privileged-access workstations and machines used by support teams.

Developers. If your workflow involves Remote Desktop to virtual machines or test environments, double-check that you’re running a patched build before opening .rdp files sent via email or posted in project channels. The same goes for IT pros who manage cloud-based Windows servers: verify your local client is updated before establishing any administrative session.

The bigger picture: RDP client vs. server risk

For years, Remote Desktop security discussions focused on internet-facing servers, open ports, and the risk of wormable vulnerabilities like the BlueKeep exploit from 2019. CVE-2026-58539 flips that script. It targets the client software that connects to remote machines, not the service that waits for incoming connections. The attack surface shifts from the server to the person at the keyboard.

Microsoft’s own advisory underscores this shift with its CVSS vector: confidentiality impact is high, but integrity and availability are rated none. An attacker can’t use this flaw to install malware or crash your PC, but they could scoop up sensitive data that flows through the RDP session—possibly including credentials, keystrokes, or on-screen information. Because the bug involves an out-of-bounds read in the client’s parsing logic, the exact data at risk depends on memory layout, but the potential for harm is real.

The fix lands at a time when Microsoft has already been tightening the user experience around .rdp files. Starting with the April 2026 security updates, the Remote Desktop client displays a new warning dialog that makes the destination address and requested device redirections (such as drives, clipboard, and camera) more visible before a connection starts. Redirections default to off, and unsigned .rdp files get an “Unknown publisher” warning. Microsoft explicitly tells users not to open unexpected RDP files and to verify unusual connection requests through a separate channel.

Those April interface changes don’t directly patch this vulnerability, but they address the same trust boundary: a local client deciding to trust a remote server it hasn’t vetted. For an attacker, a phishing email carrying a weaponized .rdp file or a social-engineering lure designed to get someone to connect to a “support” machine is the easiest way to trigger the user interaction this bug requires.

Step-by-step: How to secure your systems

  1. Install the July cumulative update on every Windows endpoint that can launch Remote Desktop. This includes workstations, laptops, jump boxes, and servers used for administration. If you rely on WSUS, Microsoft Update Catalog, or configuration manager, accelerate the approval for KB5101650 and its equivalent packages for other platforms.
  2. Lock down .rdp file handling. Configure Group Policy to block opening .rdp files from untrusted sources, or set a policy that forces users to review and approve all redirections before connecting. The April 2026 warning dialog can be temporarily rolled back through policy for compatibility reasons, but Microsoft has warned that the rollback option may disappear in a future update. If your organization reversed the change to avoid help-desk friction, revisit that decision now.
  3. Limit where users can connect via Remote Desktop. Use firewalls, DNS filtering, Remote Desktop Gateway servers, and Conditional Access rules to restrict outbound RDP traffic to known, approved destinations. This reduces the chance that a user will accidentally or deliberately connect to a malicious server.
  4. Audit help-desk and vendor playbooks that involve .rdp file exchanges. If your support teams routinely email RDP files or instruct users to download them from portals, shift to a more secure distribution method, such as an authenticated web portal with server-side validation.
  5. Train staff to treat unexpected RDP prompts the same way they treat phishing emails. A pop-up asking to connect to a remote PC you didn’t initiate should raise immediate suspicion. Encourage users to contact IT before proceeding.

What’s next

As of this writing, Microsoft has not reported any active exploitation of CVE-2026-58539, and CISA’s analysis lists exploitation as “none.” No public proof-of-concept code has been published. That could change as researchers dig into the patch, but the immediate risk is low. The defensible move is to patch now while the vulnerability remains theoretical rather than waiting for an in-the-wild attack that forces an emergency deployment.

The bigger question is whether subsequent reverse-engineering will reveal exactly what data an attacker can siphon. Until then, the safe assumption is that any information visible on the screen or passing through the RDP channel—including credentials, documents, and clipboard contents—could be at risk when an unpatched client connects to a hostile server.

Microsoft says the July update has no known issues, making it an unusually clean patch candidate. For organizations that still block Windows updates out of caution, this is one case where the security fix outweighs the usual fear of breaking something. Patch the clients, review your RDP policies, and keep an eye on the threat intelligence feeds. If the bad guys weaponize this bug, the early warning signs will show up there first.