Hackers Allegedly Selling Windows Remote Desktop Exploit for $220K

A Windows exploit targeting Remote Desktop Services is reportedly being sold on the dark web for $220,000, according to a report from Neowin. The vulnerability, tracked as CVE-2026-21533, allows attackers to escalate privileges on compromised systems.

Exploit allegedly listed on underground forum

The listing appeared on an underground malware and exploits forum, posted by a user named “Kamirmassabi.” The seller claims the exploit targets a previously unknown vulnerability in Windows Remote Desktop Services and advertises it as a zero-day exploit.

According to the listing, interested buyers must contact the seller privately to obtain further details about the exploit.

The vulnerability reportedly allows attackers to manipulate a service configuration registry key associated with the TermService protocol, enabling privilege escalation to system-level access.

The exploit requires initial access

Unlike remote code execution flaws that can be triggered from the internet, this vulnerability requires attackers to already have low-privilege authenticated access to the target system.

Initial access could be obtained through common intrusion techniques such as phishing attacks, malicious downloads, or compromised user accounts. Once attackers gain access, they could exploit the vulnerability to elevate their privileges and gain full control over the system.

Microsoft patched the flaw in February

The good news is that Microsoft has already patched CVE-2026-21533 in the February 2026 Patch Tuesday security updates.

This means organizations that have installed the update are protected from the exploit.

However, attackers may still target systems that have not yet applied the patch, especially in enterprise environments where update deployment may be delayed.

Microsoft has also updated Defender security intelligence signatures across installation packages, further strengthening protection against potential exploitation attempts.

Cybercriminals increasingly sell exploits instead of using them

Security researchers note that the listing reflects a growing trend in the cybercrime ecosystem where attackers sell exploits on underground markets instead of using them directly.

High-value vulnerabilities often attract large price tags, especially when they affect widely used enterprise services like Remote Desktop.

System administrators are advised to install the February 2026 security updates immediately to mitigate the risk of exploitation.

This incident also follows recent reports of attackers abusing legitimate certificates to distribute malware, highlighting the evolving tactics used by cybercriminals.

In other security-related news, Microsoft recently restored missing details in its Secure Boot FAQ, providing additional clarification about upcoming certificate changes.