CVE-2026-56190: Any Windows Server With RDP Exposed Can Be Taken Over. No Password Required

Microsoft shipped CVE-2026-56190 on July 14 as part of the largest Patch Tuesday in history. It is a remote code execution vulnerability in the Windows Remote Desktop Protocol server. CVSS score: 9.8. Attack vector: network. Authentication required: none. User interaction: none.
If your Windows Server has RDP exposed to the internet, an attacker can send a crafted packet to port 3389 and potentially execute code on your server. No login screen. No password prompt. Just a malformed RDP request hitting the listener.
What the Bug Actually Is
The vulnerability is a use of uninitialized resource in the RDP server stack. When the RDP listener processes incoming connection requests, it allocates memory structures to track the session. Under specific conditions, one of these structures is used before the kernel has fully initialized it. The uninitialized memory gets interpreted as a pointer, and the attacker controls where it points.
The result is memory corruption in kernel space. From there, the attacker can escalate to SYSTEM-level code execution. The attack does not require a valid RDP session. It does not require credentials. It triggers during the initial protocol handshake, before authentication even begins.
Microsoft rates this as Important, not Critical, because the attack complexity is rated high. But multiple security researchers have noted that the complexity rating reflects the difficulty of crafting a reliable exploit, not the difficulty of triggering the vulnerability. A denial of service is trivial. Code execution is harder but proven possible.
What Is Affected
Every supported version of Windows Server with the Remote Desktop Services role enabled. That includes:
- Windows Server 2025
- Windows Server 2022
- Windows Server 2019
- Windows 11 with RDP enabled
- Windows 10 with RDP enabled
If your server has port 3389 open and is not behind a VPN or RD Gateway, assume it is vulnerable until patched.
How to Fix It
The July 2026 cumulative update patches this vulnerability. There is no workaround short of disabling RDP entirely. You cannot filter the malicious packets with a firewall because the attack rides on legitimate RDP protocol traffic.
Immediate steps for self-managed servers:
# Check if RDP is enabled
Get-Service TermService | Select Status
# Install the July 2026 update
# Windows Server 2025: KB5063236
# Windows Server 2022: KB5063275
# Windows Server 2019: KB5063269
# Or via Windows Update
wuauclt /detectnow /updatenow
Reboot required. The fix touches kernel-mode RDP driver code. Hot-patching will not apply.
If you cannot patch immediately: Disable RDP. Use Windows Admin Center or a third-party remote access tool that does not use the Microsoft RDP stack. Re-enable RDP only after the update is installed and the server has rebooted.
The Bigger Problem: 570 Flaws in One Month
CVE-2026-56190 is one of approximately 570 vulnerabilities Microsoft patched on July 14. Three of those were actively exploited zero-days. Two more got CISA KEV listings with mandatory patching deadlines. The sheer volume is unprecedented - the previous Patch Tuesday record was 206 flaws in June.
Microsoft is now using AI to find bugs in its own codebase, and the output is showing up in these numbers. This is good for security in the long run. In the short run, it means every Patch Tuesday from now on has the potential to drop triple-digit critical fixes on your infrastructure team.
How ServerGurus Handles Patch Tuesday at Scale
Our managed Windows infrastructure applies these updates automatically. The July 14 patches were deployed to every managed server within hours of release. No customer ticket. No maintenance window negotiation. No servers sitting unpatched while someone finds time in their calendar.
If you run your own Windows servers, you have 570 patches to triage and deploy. If you run them on our managed infrastructure, you woke up this morning to a patched fleet.
This is the fundamental value proposition of managed hosting. It is not about renting hardware. It is about not having to drop everything every second Tuesday of the month to patch critical RCE vulnerabilities.
Learn about managed Windows Server hosting or check if your servers are exposed.