Windows Remote Desktop Protocol Server Unauthenticated RCE Patched in July 2026 Patch Tuesday (CVE-2026-56190)
Scope: Windows Server 2019, 2022, 2025 and Windows 10/11 (All Builds with RDP Server Enabled)
Severity: Red
CVE-2026-56190 (CVSS 9.8) is a critical unauthenticated remote code execution vulnerability in the Windows Remote Desktop Protocol server, patched on July 14, 2026 as part of Microsoft's record-breaking Patch Tuesday addressing 570 to 622 flaws. The flaw stems from use of an uninitialized resource in RDP's packet handling code, allowing a remote attacker to send specially crafted RDP traffic that corrupts uninitialized memory and achieves code execution on the server with no authentication and no user interaction required. RDP servers remain among the most widely targeted services in ransomware initial access operations globally, and internet-exposed Windows servers running RDP without network-level authentication are at immediate risk from automated scanning tooling. Organizations must apply the July 14, 2026 cumulative update to all Windows Server and Windows 10/11 deployments immediately, audit firewall rules to confirm RDP (TCP port 3389) is not exposed directly to the internet, enforce Network Level Authentication on all RDP-enabled systems, and deploy Conditional Access or VPN requirements for any remote desktop access.
The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.