Microsoft Patches Multiple Windows Remote Code Execution Flaws Across Core Services
Microsoft published security advisories for a broad set of remote code execution vulnerabilities affecting Windows components and enterprise services, including Windows Telephony Service, Hyper-V, ReFS, WSUS, Direct Show, the Windows Mobile Broadband Driver, Windows Server Setup and Boot Event Collection, SQL Server Native Client, and .NET. The largest concentration of disclosures involved the Windows Telephony Service, with multiple CVEs including CVE-2024-43620, CVE-2024-43627, CVE-2025-21190, CVE-2025-21240, CVE-2025-21243, CVE-2025-21250, CVE-2025-21266, CVE-2025-21273, CVE-2025-21409, and CVE-2025-21413, indicating sustained patching activity around a single Windows attack surface.
Other disclosed RCE issues expanded the risk to virtualization, storage, update infrastructure, and server environments through CVE-2026-21244 and CVE-2026-21248 in Windows Hyper-V, CVE-2025-62456 in Windows Resilient File System (ReFS), CVE-2025-59287 in Windows Server Update Service (WSUS), CVE-2025-49666 in Windows Server Setup and Boot Event Collection, CVE-2024-49012 in SQL Server Native Client, CVE-2025-21291 in Windows Direct Show, and CVE-2026-24288 in the Windows Mobile Broadband Driver. One referenced case, CVE-2021-34458, showed the potential severity of Microsoft RCE flaws in virtualized environments, with Microsoft describing a Critical Windows Kernel issue that could enable cross-guest interference on systems using SR-IOV-capable hardware.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
48 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes Mobile Broadband Driver RCE CVE-2026-24288
Microsoft published CVE-2026-24288 as a remote code execution vulnerability in the Windows Mobile Broadband Driver. The disclosure was added to the Security Update Guide in March 2026.
Microsoft publishes Hyper-V RCE CVE-2026-21248
Microsoft disclosed CVE-2026-21248 as another Windows Hyper-V remote code execution vulnerability on the same day as CVE-2026-21244. This represents a separate Hyper-V flaw addressed in February 2026.
Microsoft publishes Hyper-V RCE CVE-2026-21244
Microsoft disclosed CVE-2026-21244, a remote code execution vulnerability affecting Windows Hyper-V, in February 2026. The entry marks a virtualization-related flaw added to the Security Update Guide.
Microsoft publishes ReFS RCE CVE-2025-62456
Microsoft published CVE-2025-62456 as a remote code execution vulnerability in Windows Resilient File System (ReFS). The disclosure appeared in the December 2025 Security Update Guide.
Microsoft publishes WSUS RCE CVE-2025-59287
Microsoft disclosed CVE-2025-59287, a remote code execution vulnerability in Windows Server Update Service (WSUS), in October 2025. The publication added another server-side RCE issue to the Security Update Guide.
Microsoft publishes Virtual Hard Disk RCE CVE-2025-49683
Microsoft disclosed CVE-2025-49683 as a remote code execution vulnerability affecting Microsoft Virtual Hard Disk in its Security Update Guide. The advisory was published as part of the July 2025 security releases.
Microsoft publishes Windows Server Setup and Boot Event Collection RCE
Microsoft published CVE-2025-49666 as a remote code execution vulnerability affecting Windows Server Setup and Boot Event Collection. The issue was added to the Security Update Guide in July 2025.
Microsoft publishes Windows Telephony Service RCE CVE-2025-24056
Microsoft disclosed CVE-2025-24056 as a Windows Telephony Service remote code execution vulnerability through its Security Update Guide. The advisory was published as part of the March 2025 security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21200
Microsoft disclosed CVE-2025-21200 as a Windows Telephony Service remote code execution vulnerability through its Security Update Guide. The advisory was published as part of the February 2025 security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21407
Microsoft disclosed CVE-2025-21407 as a Windows Telephony Service remote code execution vulnerability through its Security Update Guide. The advisory was published as part of the February 2025 security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21201
Microsoft disclosed CVE-2025-21201 as a Windows Telephony Service remote code execution vulnerability through its Security Update Guide. The advisory was published as part of the February 2025 security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21406
Microsoft disclosed CVE-2025-21406 as a Windows Telephony Service remote code execution vulnerability in its Security Update Guide. The advisory was published as part of the February 2025 security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21371
Microsoft disclosed CVE-2025-21371 as a Windows Telephony Service remote code execution vulnerability in its Security Update Guide. The advisory was published as part of the February 2025 security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21190
Microsoft disclosed CVE-2025-21190, a Windows Telephony Service remote code execution vulnerability, in February 2025. This indicates continued patching of Telephony Service RCE flaws after the January batch.
Microsoft publishes RMCAST RCE CVE-2025-21307
Microsoft disclosed CVE-2025-21307 as a remote code execution vulnerability in the Windows Reliable Multicast Transport Driver (RMCAST) through its Security Update Guide. The advisory was published as part of the January 2025 Patch Tuesday security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21303
Microsoft disclosed CVE-2025-21303 as a Windows Telephony Service remote code execution vulnerability through its Security Update Guide. The advisory was published as part of the January 2025 Patch Tuesday security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21239
Microsoft disclosed CVE-2025-21239 as a Windows Telephony Service remote code execution vulnerability through its Security Update Guide. The advisory was published as part of the January 2025 Patch Tuesday security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21236
Microsoft disclosed CVE-2025-21236 as a Windows Telephony Service remote code execution vulnerability through its Security Update Guide. The advisory was published as part of the January 2025 Patch Tuesday security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21233
Microsoft disclosed CVE-2025-21233 as a Windows Telephony Service remote code execution vulnerability through its Security Update Guide. The advisory was published as part of the January 2025 Patch Tuesday security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21417
Microsoft disclosed CVE-2025-21417 as a Windows Telephony Service remote code execution vulnerability through its Security Update Guide. The advisory was published as part of the January 2025 Patch Tuesday security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21223
Microsoft disclosed CVE-2025-21223 as a Windows Telephony Service remote code execution vulnerability in its Security Update Guide. The advisory was published as part of the January 2025 Patch Tuesday security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21305
Microsoft disclosed CVE-2025-21305 as a Windows Telephony Service remote code execution vulnerability in its Security Update Guide. The advisory was published as part of the January 2025 Patch Tuesday security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21241
Microsoft disclosed CVE-2025-21241 as a Windows Telephony Service remote code execution vulnerability in its Security Update Guide. The advisory was published as part of the January 2025 Patch Tuesday security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21246
Microsoft disclosed CVE-2025-21246 as a Windows Telephony Service remote code execution vulnerability in its Security Update Guide. The advisory was published as part of the January 2025 Patch Tuesday security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21252
Microsoft disclosed CVE-2025-21252 as a Windows Telephony Service remote code execution vulnerability in its Security Update Guide. The advisory was published as part of the January 2025 Patch Tuesday security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21282
Microsoft disclosed CVE-2025-21282 as a Windows Telephony Service remote code execution vulnerability in its Security Update Guide. The advisory was published as part of the January 2025 Patch Tuesday security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21411
Microsoft disclosed CVE-2025-21411 as a Windows Telephony Service remote code execution vulnerability in its January 2025 Security Update Guide. The advisory represents another distinct Telephony Service flaw addressed in that release cycle.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21413
Microsoft published CVE-2025-21413 as a Windows Telephony Service remote code execution vulnerability in its Security Update Guide. The disclosure was part of the January 2025 security updates.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21409
Microsoft disclosed CVE-2025-21409, a Windows Telephony Service remote code execution vulnerability, in January 2025. The advisory marks another distinct Telephony Service RCE issue addressed that month.
Microsoft publishes Windows Direct Show RCE CVE-2025-21291
Microsoft added CVE-2025-21291 to the Security Update Guide as a remote code execution vulnerability in Windows Direct Show. The disclosure occurred in the January 2025 release cycle.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21273
Microsoft disclosed CVE-2025-21273 as another Windows Telephony Service remote code execution vulnerability. The flaw was listed in the January 2025 Security Update Guide.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21266
Microsoft published CVE-2025-21266, a Windows Telephony Service remote code execution vulnerability, in its January 2025 security updates. Duplicate advisory and vulnerability listings refer to the same disclosure event.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21244
Microsoft disclosed CVE-2025-21244 as a Windows Telephony Service remote code execution vulnerability in its Security Update Guide. The advisory was published as part of the January 2025 Patch Tuesday security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21250
Microsoft disclosed CVE-2025-21250 as a Windows Telephony Service remote code execution vulnerability in the Security Update Guide. The issue was published during the January 2025 Patch Tuesday cycle.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21243
Microsoft disclosed CVE-2025-21243, a Windows Telephony Service remote code execution vulnerability, in its January 2025 security guidance. The entry represents a distinct Telephony Service flaw.
Microsoft publishes Windows Telephony Service RCE CVE-2025-21240
Microsoft published CVE-2025-21240 as a Windows Telephony Service remote code execution vulnerability in the January 2025 Security Update Guide. This was one of several Telephony Service RCE issues disclosed that day.
Microsoft publishes Windows Telephony Service RCE CVE-2024-43635
Microsoft disclosed CVE-2024-43635 as a Windows Telephony Service remote code execution vulnerability through its Security Update Guide. The advisory was published as part of the November 2024 security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2024-43627
Microsoft disclosed CVE-2024-43627, another Windows Telephony Service remote code execution vulnerability, through its Security Update Guide. The publication marks a separate Telephony Service flaw addressed in November 2024.
Microsoft publishes Windows Telephony Service RCE CVE-2024-43622
Microsoft disclosed CVE-2024-43622, a Windows Telephony Service remote code execution vulnerability, through its Security Update Guide. The advisory was published as part of the November 2024 security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2024-43621
Microsoft disclosed CVE-2024-43621, a Windows Telephony Service remote code execution vulnerability, through its Security Update Guide. The advisory was published as part of the November 2024 security releases.
Microsoft publishes Windows Telephony Service RCE CVE-2024-43620
Microsoft disclosed CVE-2024-43620, a remote code execution vulnerability in Windows Telephony Service, in its Security Update Guide. The entry indicates the issue was addressed in the November 2024 release cycle.
Microsoft publishes SQL Server Native Client RCE advisory CVE-2024-49012
Microsoft added CVE-2024-49012 to its Security Update Guide as a remote code execution vulnerability affecting SQL Server Native Client. The advisory was published as part of Microsoft's November 2024 security releases.
Microsoft publishes Windows TCP/IP RCE CVE-2024-38045
Microsoft disclosed CVE-2024-38045 as a remote code execution vulnerability affecting Windows TCP/IP through its Security Update Guide. The advisory was published as part of Microsoft's September 2024 security releases.
Microsoft publishes Windows Network Virtualization RCE CVE-2024-38160
Microsoft disclosed CVE-2024-38160 as a remote code execution vulnerability affecting Windows Network Virtualization through its Security Update Guide. The advisory was published as part of Microsoft's August 2024 security releases.
Microsoft publishes Windows OLE RCE CVE-2024-30077
Microsoft disclosed CVE-2024-30077 as a remote code execution vulnerability affecting Windows OLE through its Security Update Guide. The advisory was published as part of Microsoft's June 2024 security releases.
Microsoft publishes Windows Media RCE CVE-2023-21740
Microsoft disclosed CVE-2023-21740 as a remote code execution vulnerability affecting Windows Media through its Security Update Guide. The advisory was published as part of Microsoft's December 2023 security releases.
Microsoft publishes PEAP RCE CVE-2023-36028
Microsoft disclosed CVE-2023-36028, a remote code execution vulnerability in Microsoft Protected Extensible Authentication Protocol (PEAP), through its Security Update Guide. The advisory was published as part of Microsoft's November 2023 security releases.
Microsoft discloses and fixes CVE-2021-34458 in Windows Kernel
Microsoft published guidance for CVE-2021-34458, a critical Windows Kernel remote code execution vulnerability affecting systems hosting virtual machines with SR-IOV-capable hardware. The company said the flaw was not publicly disclosed or exploited in the wild at publication time and that a fix was available.
Sources
50 references tracked. Mallory keeps watching after this page renders.
CVE-2026-24288 - Security Update Guide - Microsoft - Windows Mobile Broadband Driver Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-24288 - Security Update Guide - Microsoft - Windows Mobile Broadband Driver Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-21244 - Security Update Guide - Microsoft - Windows Hyper-V Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-21248 - Security Update Guide - Microsoft - Windows Hyper-V Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-43620 - Security Update Guide - Microsoft - Windows Telephony Service Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-43621 - Security Update Guide - Microsoft - Windows Telephony Service Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-43635 - Security Update Guide - Microsoft - Windows Telephony Service Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-43627 - Security Update Guide - Microsoft - Windows Telephony Service Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Multiple Windows Remote Desktop Services RCE Flaws
Microsoft disclosed and patched several **remote code execution** vulnerabilities affecting Windows Remote Desktop components, including **Remote Desktop Services** flaws tracked as `CVE-2025-21309`, `CVE-2025-24045`, and `CVE-2024-49123`. The issues were published through the Microsoft Security Response Center update guide and indicate continued security exposure in services commonly used for remote administration and application access across Windows environments. Microsoft also published a related **Windows Remote Desktop Licensing Service** remote code execution vulnerability, `CVE-2024-38263`, expanding the affected surface beyond core Remote Desktop Services. The cluster of advisories highlights the need for organizations to prioritize patching internet-exposed and internally accessible RDS infrastructure, review segmentation around remote access systems, and verify that all Windows servers running Remote Desktop roles and licensing components have the latest security updates applied.
May 25, 2026
Microsoft Patches Critical Remote Desktop Client and HTTP.sys RCE Flaws
Microsoft’s June 2026 Patch Tuesday delivered a record-setting security release, with reports citing **206 to 208 CVEs** addressed across Windows, Office, Azure, SQL Server, and other products, including **32 critical** issues. Among the most urgent were multiple **Remote Desktop Client** remote code execution flaws—`CVE-2026-42985`, `CVE-2026-47289`, `CVE-2026-44801`, `CVE-2026-44799`, and `CVE-2026-48563`—that could let an attacker run code on a victim system if the user connected to a malicious Remote Desktop Server or accepted a specially crafted RDP certificate. Microsoft rated `CVE-2026-42985` as **more likely** to be exploited, while the others were assessed as less likely at publication; several of the bugs were credited to Kyeongmin Kim of KAIST Hacking Lab. Microsoft also disclosed **`CVE-2026-47291`**, a critical **HTTP.sys** remote code execution vulnerability with a **CVSS 9.8** score that can be exploited remotely without authentication or user interaction by sending a specially crafted packet to a server using the Windows HTTP Protocol Stack. Microsoft said systems using the default `MaxRequestBytes` setting are not affected, but warned that servers with higher values may be vulnerable and advised administrators to set the registry value to a safe level and restart the HTTP service or host until patches are applied. Cisco Talos published Snort coverage for many of the newly disclosed flaws, while separate reporting also highlighted one actively exploited zero-day in Microsoft Defender and additional high-risk issues in Hyper-V, DHCP Client, Secure Boot, and UEFI components.
Jun 19, 2026
Microsoft Discloses Remote Code Execution Flaws in Remote Desktop and RPC Components
Microsoft published security advisories for multiple remote code execution vulnerabilities affecting **Remote Desktop Client**, **Remote Desktop Protocol**, and the **Remote Procedure Call (RPC) Runtime**. The referenced issues include `CVE-2025-58718` in the Remote Desktop Client, alongside earlier Microsoft advisories for `CVE-2022-21851` in the Remote Desktop Client, `CVE-2022-21893` in Remote Desktop Protocol, and `CVE-2022-21922` in the RPC Runtime. The advisories indicate continued security risk around core Windows remote access and interprocess communication components that are widely used in enterprise environments. For defenders, the common thread is exposure to **remote code execution** in services and clients tied to remote connectivity, making Microsoft’s security updates for these CVEs a priority for systems that rely on RDP and RPC functionality.
May 25, 2026