A threat actor identified as “Kamirmassabi” is allegedly selling a zero-day exploit for a Windows Remote Desktop Services privilege escalation vulnerability, tracked as CVE-2026-21533, for a staggering $220,000 on a dark web forum. This highly priced exploit targets improper privilege management to grant attackers local administrative control.
The underground cybersecurity community has observed a new high-stakes listing on a dark web forum, where a recently registered user named Kamirmassabi is auctioning an exploit for CVE-2026-21533.
The threat actor, who created their account on March 3, 2026, posted the listing in the “[Virology] – malware, exploits, bundles, AZ, crypt” section.
The advertisement spotted by Dark Web Informer explicitly labels the vulnerability as a “0day” and sets the purchase price at $220,000, requesting interested buyers to reach out via private messages for feedback and transactions.
.webp)
While CVE-2026-21533 was initially published by Microsoft in February 2026, the availability of a functional, weaponized exploit presents a severe risk to enterprise environments.
The exorbitant price tag suggests that the exploit is highly reliable and potentially targets a wide range of unpatched systems across different Windows architectures. Visual evidence corroborates the active solicitation of this exploit, highlighting the rapid commercialization of critical vulnerabilities in the cybercriminal underground.
CVE-2026-21533 is a severe Elevation of Privilege (EoP) vulnerability rooted in improper privilege management within Windows Remote Desktop.
The flaw occurs because the product fails to properly assign, modify, track, or check privileges for an actor, thereby creating an unintended sphere of control. If successfully exploited, an authorized attacker with standard user rights could elevate their privileges locally on a compromised system, potentially gaining full administrative control.
This vulnerability impacts a vast array of Microsoft operating systems, including various builds of Windows 10, Windows 11, and Windows Server editions ranging from 2012 to the latest 2025 releases.
With a CVSSv3 score of 7.8, the vulnerability is classified as high severity, and its addition to the CISA Known Exploited Vulnerabilities catalog underscores the immediate need for remediation.
To mitigate this threat, organizations must immediately apply the latest Microsoft security patches across all affected endpoints and servers. Administrators should also follow the applicable CISA BOD 22-01 guidance for cloud services or disable Remote Desktop Services if mitigations cannot be immediately applied.
Administrators should disable RDS if not strictly necessary, restrict access to trusted networks, and deploy Endpoint Detection and Response (EDR) solutions to monitor for anomalous registry changes and privilege escalation attempts.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
