CVE-2026-56171

Microsoft · Remote Desktop Web Client and Windows Admin Center

A vulnerability in Microsoft Remote Desktop Web Client and Windows Admin Center allows an unauthenticated attacker to disclose sensitive personal information over the network.

Executive summary

This vulnerability exposes private personal information through the Microsoft Remote Desktop Web Client and Windows Admin Center, posing a significant risk of data leakage.

Vulnerability

This is an information exposure vulnerability (CWE-359) occurring in the web-based management interfaces. The attack vector is network-based and does not require authentication, though it does rely on user interaction to facilitate the disclosure of private data.

Business impact

Successful exploitation of this flaw could result in the unauthorized disclosure of sensitive user information, potentially leading to identity theft or the compromise of internal system configurations. With a CVSS score of 7.1, this represents a high-severity risk that could undermine the privacy and security posture of organizations relying on these tools for remote management.

Remediation

Immediate Action: Update the Microsoft Remote Desktop Web Client to version 2.1.65.2 or later, and update Windows Admin Center to version 2.7.4 or later.

Proactive Monitoring: Review web server and application access logs for unusual request patterns or unexpected access to sensitive data endpoints.

Compensating Controls: Implement WAF rules to filter suspicious traffic and restrict access to the web interfaces of these tools to trusted network segments only.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Organizations should prioritize patching their deployments of the Remote Desktop Web Client and Windows Admin Center immediately. Given the potential for unauthorized information disclosure, failing to apply the provided vendor updates leaves sensitive management environments vulnerable to network-based reconnaissance and data theft.