A serious Windows vulnerability is reportedly being sold on the dark web for $220,000, highlighting the growing market for cyberattack tools and exploits.
The exploit targets Windows Remote Desktop Services (RDS) and could allow attackers to gain system-level privileges on compromised machines. Windows RDS is a widely used tool for organizations to access computers and servers remotely.
Exploit Advertised On Underground Forum
The vulnerability tracked as CVE-2026-21533 was advertised by a relatively new user operating under the alias “Kamirmassabi” on an underground cybercrime forum.
The advertisement appeared in the forum’s malware and exploit marketplace, where the seller described the flaw as a “zero-day” exploit, meaning it can be used before most systems are protected. The seller also invited interested buyers to contact them via private messages to discuss the purchase.
How The Exploit Works
The vulnerability allows attackers to manipulate a specific service configuration registry key under the TermService protocol. By exploiting this weakness, attackers can elevate their privileges to system-level access on a targeted computer, which is one of the highest levels of control on a Windows machine.
However, the exploit cannot be used completely remotely. Attackers must first obtain low-privilege authenticated access to the system before escalating privileges. This initial access could be obtained through methods such as phishing emails, malicious downloads, or compromised credentials.
Once inside, attackers could potentially gain complete control of the machine and move deeper into the network.
Microsoft Patch Already Released
Microsoft has already addressed the vulnerability as part of its February 2026 Patch Tuesday security updates. The issue affects a wide range of Windows systems, including:
- Windows 10
- Windows 11
- Windows Server 2012
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
The flaw carries a CVSS severity score of 7.8, indicating a significant risk, if exploited, due to its ability to allow privilege escalation on compromised systems.
If the vulnerability had remained unpatched, experts say the exploit could have been worth significantly more on the dark web.
Attackers Betting On Unpatched Systems
Despite the patch being available, cybercriminals may still profit by targeting organizations that delay installing security updates. Many large organizations often take time to deploy updates across complex networks, creating a window of opportunity for attackers.
Security experts believe this is likely why the exploit is still being marketed, even though the vulnerability has already been addressed.
Experts Urge Immediate Updates
Cybersecurity experts are urging system administrators to install the February 2026 security update immediately to eliminate the vulnerability.
Keeping systems fully patched remains one of the most effective ways to prevent attackers from exploiting known flaws circulating in underground forums.
