CVE-2026-56171
Microsoft · Remote Desktop Web Client and Windows Admin Center
A vulnerability in Microsoft Remote Desktop Web Client and Windows Admin Center allows an unauthenticated attacker to disclose sensitive personal information over the network.
Executive summary
This vulnerability exposes private personal information through the Microsoft Remote Desktop Web Client and Windows Admin Center, posing a significant risk of data leakage.
Vulnerability
This is an information exposure vulnerability (CWE-359) occurring in the web-based management interfaces. The attack vector is network-based and does not require authentication, though it does rely on user interaction to facilitate the disclosure of private data.
Business impact
Successful exploitation of this flaw could result in the unauthorized disclosure of sensitive user information, potentially leading to identity theft or the compromise of internal system configurations. With a CVSS score of 7.1, this represents a high-severity risk that could undermine the privacy and security posture of organizations relying on these tools for remote management.
Remediation
Immediate Action: Update the Microsoft Remote Desktop Web Client to version 2.1.65.2 or later, and update Windows Admin Center to version 2.7.4 or later.
Proactive Monitoring: Review web server and application access logs for unusual request patterns or unexpected access to sensitive data endpoints.
Compensating Controls: Implement WAF rules to filter suspicious traffic and restrict access to the web interfaces of these tools to trusted network segments only.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Organizations should prioritize patching their deployments of the Remote Desktop Web Client and Windows Admin Center immediately. Given the potential for unauthorized information disclosure, failing to apply the provided vendor updates leaves sensitive management environments vulnerable to network-based reconnaissance and data theft.