Dateline: July 15, 2026
Nobody panics about an information disclosure bug. That is sort of the problem.
Microsoft shipped fixes on July 14 for five flaws in Windows Remote Desktop Protocol. None of them run code. None of them crash anything. All five just hand an attacker a look at memory they were never supposed to see, and what floats up in that memory is the part worth worrying about.
What Happened?
The five CVEs are CVE-2026-50445, CVE-2026-50497, CVE-2026-55003, CVE-2026-57979, and CVE-2026-57982. All rated Important. All scoring 6.5 on CVSS 3.1. All disclosed July 14 alongside the rest of a very large Patch Tuesday.
They split into two families of mistake. CVE-2026-50445 and CVE-2026-57979 are read overruns, where the RDP stack reads past the end of a buffer and returns whatever sits next door in heap memory. CVE-2026-50497, CVE-2026-55003, and CVE-2026-57982 come from uninitialized memory, where RDP touches a region that was never cleaned and still holds whatever the last operation left behind.
The attack profile is mostly network based, low complexity, no privileges required, with user interaction needed. CVE-2026-57982 is the exception and wants low privileges. Microsoft assigned itself as CNA on all five and rated exploitation as less likely or unlikely. No public proof of concept exists as of writing.
The affected list is long. Windows 10 versions 1607, 1809, 21H2, and 22H2. Windows 11 versions 24H2, 25H2, and 26H1. Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025.
What’s the Impact?
Here is the part the severity rating buries. RDP sessions run with elevated privileges and handle sensitive material by design. So the memory an attacker reads is not random noise, it is the working set of a privileged remote session. Credentials. Session tokens. Protocol state. Memory addresses that quietly undo ASLR and make the next exploit easier to land.
That last one matters most. An information leak is rarely the whole attack. It is the reconnaissance step that turns a hard exploit into a reliable one.
And RDP is not a niche service. It sits on jump boxes, VDI fleets, support workstations, cloud hosted admin hosts, and, still, on machines facing the open internet. It stays the favorite initial access route for ransomware crews. Bugs that leak from that surface feed credential theft and lateral movement.
“Exploitation less likely” is also a snapshot, not a forecast. Microsoft rated the SharePoint bug CVE-2026-45659 as exploitation less likely in May. CISA added it to the Known Exploited Vulnerabilities catalog on July 1.
How to Avoid This
Deploy the July 2026 cumulative updates. There is no workaround published for any of the five, so the patch is the fix.
Order the rollout by exposure rather than by CVSS score. Internet reachable Remote Desktop Session Hosts first, then jump servers and VDI, then anything reachable from contractor or guest segments. Domain controllers with RDP enabled belong near the front too, even behind a firewall.
Stop exposing RDP directly. Put it behind a VPN or a Remote Desktop Gateway and turn on Network Level Authentication, which cuts down the interaction based paths. Turn off Remote Desktop Services on machines that only need it twice a year.
Watch for odd RDP connection attempts and unexpected connection prompts on user machines.
IOCs
There are none for this batch, and any list claiming otherwise is guessing. No exploitation observed, no proof of concept public, no vendor telemetry. What you can do is hunt behaviorally: RDP sessions from source addresses outside your normal pattern, connection prompts users did not trigger, and repeated malformed session negotiations against a session host.
You Patched. Do You Know Which Machines Still Listen on 3389?
Five medium scored bugs will not make anyone’s fix first list. The machines running them might.
Secure.com’s Infrastructure Security Teammate handles the boring part that decides this:
- Discovers every asset with RDP reachable, including the box someone stood up in 2019 and forgot
- Scores findings by exposure and business context instead of CVSS alone, so a 6.5 on an internet facing jump host outranks a 9.0 on an isolated test VM
- Maps the attack path from a leaked credential to whatever it unlocks downstream, before someone else does
- Confirms the July update actually landed on each machine rather than trusting the deployment console
- Tracks a KEV listing daily and re-prioritizes automatically when “less likely” turns into “actively exploited”