The big picture: A cybercriminal is reportedly selling a Windows zero-day exploit on the dark web for $220,000. The vulnerability, which targets Windows Remote Desktop Services, could allow an attacker to gain system-level privileges on compromised PCs. It affects Windows 10, Windows 11, and all Windows Server editions from 2012 through 2025.
According to X user Dark Web Informer, a cybercriminal known as Kamirmassabi recently posted an ad on an underground hacking forum, offering to sell a zero-day exploit for a critical elevation of privilege vulnerability in Windows 10 and 11. The steep $220,000 asking price suggests the exploit is aimed primarily at deep-pocketed state actors or corporate spies.
Tracked as CVE-2026-21533, the vulnerability leverages improper privilege management to grant attackers full administrative control over compromised machines. The bug is remotely exploitable, enabling attackers to execute code, install programs, steal data, modify system settings, and perform any other actions requiring system-level access.
– Dark Web Informer (@DarkWebInformer) March 6, 2026
It is worth noting that an attacker must already have access to the target device for the exploit to work. How they are initially creating user profiles remotely without elevated privileges is unclear, but online speculation suggests phishing schemes are being used to trick users into downloading malicious files that grant full access to the machine.
The vulnerability has a CVSSv3 score of 7.8, indicating high severity. Microsoft stated it is aware the bug is being actively exploited in the wild, though it did not provide specific instances. The company also noted that the vulnerability was fixed in the February Patch Tuesday update, so downloading and installing the latest patches should mitigate the threat.
For enterprise environments where patches cannot be applied immediately due to company policy, administrators are advised to disable Remote Desktop Services and follow the applicable CISA BOD 22-01 guidance. Users should also restrict access to trusted networks and deploy Endpoint Detection and Response solutions to monitor rogue registry changes and privilege escalation attempts.
Another critical Windows vulnerability with a publicly released proof-of-concept exploit is CVE-2026-2636, a denial-of-service flaw in the Windows Common Log File System (CLFS) driver. Discovered by Ricardo Narvaja of Fortra, it allows any user with basic privileges to trigger unrecoverable blue screen of death crashes.