HIGHCVSS8.8

|CVE-2026-32157|Auth: see msrc advisory|Reboot: required|Manual only

KB5082123: Windows Server 2019 Security Update (April 2026)

An attacker who lures a user into connecting to a malicious RDP server — including via a crafted "rdp:" link — can execute code on the connecting Windows machine.

Published Apr 14, 2026 · Updated May 23, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who stands up a malicious RDP server and persuades a victim to connect — through a phishing email containing an "rdp:" link, a malicious .rdp file attachment, or a compromised connection broker — can execute code in the context of the user running the Remote Desktop client. On a server used as an administrative jump box, the connecting account is often highly privileged, magnifying the impact.

How the attack works

This is a flaw in the Remote Desktop CLIENT, not the server — it affects the machine making an outbound RDP connection. When the Remote Desktop client connects to a server, a malicious server can return crafted data that the client mishandles, leading to code execution on the client. Connections can be initiated by a user clicking a crafted "rdp:" URI link, so the trigger is as simple as opening a link.

Am I affected?Quick check

Probably yes if any of these apply:

●Servers used as administrative workstations / jump boxes (outbound RDP from privileged accounts)

●Any Windows host whose users initiate RDP connections

Affected OS versions

Windows Server 2019

Real-world incidentsWhat we've seen

An administrator receives an email that looks like an internal ticket with a "connect to this server" RDP link. Clicking it opens the Remote Desktop client, which connects to the attacker's malicious RDP server; the crafted response executes code as the admin. Because admins on jump boxes frequently hold domain-privileged accounts, a client-side RDP RCE is a direct path from one phished click to privileged code execution.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5082123

Manual remediation steps

Reduce exposure beyond patching

Client-side RDP RCE is triggered by connecting OUT to a malicious server. In addition to patching:

Block the rdp: URI handler where remote-desktop links are not needed.

Restrict outbound RDP (TCP/UDP 3389) to known internal destinations at the firewall.

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5082123 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5082123

Download the MSU for Windows Server 2019 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5082123
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5082123 /quiet /norestart

Notes

This entry covers Windows Server 2019 specifically (KB5082123). Other Windows Server versions have their own KB for CVE-2026-32157.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32157 and NVD https://nvd.nist.gov/vuln/detail/CVE-2026-32157.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2026-32157 ↗ MSRC Advisory ↗ NVD ↗ KBKB5082123