Cyber Resilience

CVE-2022-26940

Medium

Published: 10 May 2022

Published
10 May 2022
Modified
07 July 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.1635 95.0th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26940 is a medium-severity an unspecified weakness vulnerability in Microsoft Windows 11. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-26940 is an information disclosure vulnerability affecting the Remote Desktop Protocol (RDP) client component in Microsoft Windows. It carries a CVSS 3.1 base score of 6.5 with the vector string AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating that sensitive data can be exposed without user interaction when the client connects to a remote endpoint.

An attacker who can position themselves as the RDP server (or intercept the session) may exploit the flaw over the network with only low privileges. Successful exploitation allows the attacker to obtain confidential information from the client system while leaving integrity and availability unaffected.

Microsoft has published security guidance and an update catalog entry for CVE-2022-26940 at the referenced MSRC URLs. The EPSS score has remained flat at 0.1635 since disclosure, providing no indication of rising exploitation interest.

EU & UK References

Vulnerability details

Remote Desktop Protocol Client Information Disclosure Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
remote desktop client
all versions
microsoft
windows 11
all versions
microsoft
windows server 2022
all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References