Microsoft has patched a critical security flaw that weaponizes an everyday task: connecting to a remote computer. The July 14, 2026 security updates address CVE-2026-50474, a vulnerability in the Windows Remote Desktop Client that could allow an attacker to run malicious code on your PC the moment you connect to a compromised server.

Not Your Typical RDP Threat: Why the Client Is the Target

Remote Desktop attacks usually conjure images of poorly secured servers being breached over port 3389. CVE-2026-50474 flips that narrative. The weakness lies in the client-side software—the application you use to connect to other machines, known as the Remote Desktop Connection client (mstsc.exe). When you launch a connection to a remote host, the client receives and processes data from that host. If the remote endpoint is under an attacker’s control, it can send specially crafted responses that trigger a memory corruption bug in your client. Microsoft classifies this as a use-after-free error (CWE-416), a type of flaw where the software continues to reference memory that has already been released, potentially allowing the attacker to overwrite code or manipulate execution.

The result: remote code execution (RCE) with the same rights as the user running the Remote Desktop Client. If you’re an administrator managing servers, the attacker gains admin-level access. If you’re a standard user connecting to a work PC, the damage might be limited—but that’s little comfort, as compromised credentials or data exfiltration remain serious risks.

According to Microsoft’s advisory, the vulnerability carries a CVSS 3.1 score of 8.8 out of 10, indicating high severity. The attack vector is network-based, no authentication is required, and the attack complexity is low. However, user interaction is mandatory: you must initiate the connection. This means the attacker must lure you into connecting to a malicious or compromised RDP host. That could happen through a phishing email with a .rdp file attachment, a fake support call instructing you to connect to a “diagnostic” server, or even a poisoned remote desktop link on a website. Once you double-click that .rdp file or enter the malicious address, your machine is at risk.

Is Your PC Affected? Check Your Build Number

The vulnerability affects a wide range of supported Windows versions, from client operating systems to server editions. Microsoft fixed the flaw in the cumulative updates released on July 14, 2026. The critical thing to know: Installing the update isn’t enough—you must confirm that your PC has actually reached the secure build number listed in the advisory. Windows Update might report that patches are installed, but a restart pending or a failed component installation can leave you exposed.

Here are the minimum safe build numbers for key affected versions:

  • Windows 11 version 24H2: OS build 26100.8875 (delivered via KB5101650)
  • Windows 11 version 25H2: OS build 26200.8875 (also KB5101650)
  • Windows 11 version 26H1: OS build 28000.2525 (via KB5101649)
  • Windows 10 version 22H2: OS build 19045.7548 (via KB5099539)
  • Windows 10 version 21H2: OS build 19044.7548 (also KB5099539)

Server versions share the same flaw. For example, Windows Server 2022 needs build 20348.5386 (KB5099540), and Windows Server 2019 requires 17763.9020. Even Server Core installations are listed as affected, because the Remote Desktop Client component can still exist there for management purposes.

To check your own build number, press Windows key + R, type winver, and press Enter. Compare the version and build numbers with the list above. If your build is lower, you’re not fully protected.

One more twist: KB5101650 for Windows 11 24H2 and 25H2 has been temporarily withheld from a limited set of Dell PCs with Intel processors. Microsoft says these systems are encountering a separate compatibility issue causing shutdown problems, excessive heat, battery drain, and reduced performance. If your Dell machine doesn’t see the update, check Dell’s support site for guidance rather than forcing the update manually.

How a Routine Connection Could Turn Dangerous

The scenario is deceptively simple. An attacker sends you an email that looks like it’s from your IT department: “Please connect to the new server at rdp.companyportal.com for a security scan.” The attachment is a standard-looking .rdp file. You double-click it, Windows Remote Desktop opens, and the connection begins. Behind the scenes, the remote server—controlled by the attacker—sends carefully crafted network packets that exploit the use-after-free bug. In seconds, the attacker’s code runs on your machine, with your permissions.

Even without clicking a file, manual entry of a malicious address could be enough. A help-desk scam might instruct you to type a connection string into the Remote Desktop client. A compromised IT documentation page might list a fake server name. The essential element is that the connection leaves your PC and reaches attacker-controlled infrastructure.

Microsoft had not observed active exploitation of this flaw as of July 15, 2026, according to both the MSRC advisory and CISA’s initial assessment. There was also no public disclosure of the vulnerability details before patch release. But a reliable exploit for an 8.8‑severity client‑side RCE in a widely used administrative tool makes it a prime target for future attacks. The time to patch is before exploitation starts.

What You Need to Do: A Step‑by‑Step Action Plan

For everyone using Windows Remote Desktop:

  1. Install the July 2026 cumulative update immediately. Go to Settings > Windows Update and click Check for updates. Let the update download and install. Reboot when prompted, even if you have to schedule it.
  2. Verify your build number. After the restart, use winver to confirm you’ve reached the safe build for your version.
  3. Treat .rdp files with suspicion. Only open Remote Desktop connection files from trusted sources. If you receive one via email, chat, or a shared link, verify its origin—even if it looks like it came from your company. When in doubt, use a text editor to inspect the file for the target address.
  4. Stay alert for social engineering. No legitimate technical support will ever ask you to connect to an arbitrary server to “fix” a problem. Be skeptical of unsolicited calls or messages asking you to initiate a remote session.

For IT administrators and business users:

  • Prioritize privileged access workstations (PAWs). Administrators, help-desk staff, and anyone who connects to servers using elevated accounts should be patched first. A compromised admin client is a launchpad for lateral movement.
  • Use Group Policy to control .rdp publishers. The July updates also add support for SHA‑2 certificate thumbprints in .rdp files, which can help enforce trusted connections. Configure Remote Desktop Connection Client policies to restrict connections to known, signed hosts. Microsoft plans to deprecate SHA‑1, so move to SHA‑256 or stronger now.
  • Audit your endpoints. Use Windows Server Update Services, Configuration Manager, or Intune to confirm that all client machines have reached the required build. Don’t rely on a dashboard that says “updates installed”; verify the actual OS build.
  • If you can’t patch immediately, consider network controls: block outbound RDP traffic (TCP port 3389) from end-user subnets to the internet, allowing only approved management ranges. Restrict the use of .rdp files through AppLocker or a similar policy. Warn users about the risks of connecting to untrusted hosts. These are temporary measures, not substitutes for the patch.

For Windows 10 users on unsupported versions:

Windows 10 version 22H2 reached end of mainstream support on October 14, 2025. Only devices enrolled in the Extended Security Updates (ESU) program for Enterprise, IoT Enterprise LTSC, or Education receive the KB5099539 fix. If you’re running a regular Windows 10 PC without an ESU license, you will not be offered the patch and remain permanently vulnerable. Your best option is to upgrade to a supported version of Windows 11.

Beyond the Patch: Reducing Future Risk

Even after applying the July updates, RDP clients remain a high-value target. Consider these long‑term practices:

  • Limit who can use Remote Desktop. Through Group Policy or local security settings, you can restrict the Remote Desktop Users group. For administrative access, prefer Windows Admin Center, PowerShell Remoting (over HTTPS), or other tools that don’t expose the full Remote Desktop Client surface.
  • Deploy Remote Desktop Gateway. A gateway server can broker connections, apply authentication policies, and shield clients from connecting directly to arbitrary hosts.
  • Monitor for suspicious .rdp activity. Configure endpoint detection to flag when mstsc.exe runs immediately after a browser downloads a file or an email attachment is opened. Outbound connections to unusual destinations or known malicious IPs should trigger alerts.
  • Stay informed. The vulnerability landscape evolves quickly. Subscribe to Microsoft’s Security Update Guide notifications to catch future RDP-related patches early.

Looking Ahead

CVE‑2026‑50474 hasn’t yet been exploited in the wild, but history shows that client‑side RCE flaws in widely used tools get weaponized eventually. The combination of easy social engineering and high privilege access makes this a dangerous bug. Microsoft’s July updates close the door, but only if you actually install them. The next time a researcher publishes a detailed write‑up or an exploit kit adds this vulnerability, the window for safe patching will have already passed. Don’t wait.