🚨 CRITICAL ALERT: FreeRDP Client-Side RCE (CVSS 9.1)

The Tech:

A critical vulnerability (CVE-2026-24679, CVSS 9.1) in FreeRDP, a free implementation of the Remote Desktop Protocol, allows client-side remote code execution via the URBDRC client. This affects users connecting to a malicious or compromised RDP server.

The Real World View:

If you're using FreeRDP to connect to a remote desktop, this is like sitting down at a public computer that then infects your personal laptop simply by connecting to it. The compromise happens on your end, potentially granting attackers control over your machine.

Action:

Update FreeRDP to version 3.22.0 or later immediately. Exercise extreme caution when connecting to untrusted or public RDP servers. Consider alternative secure remote access solutions where possible.

CVE-2026-24679 - Critical Vulnerability - TheHackerWire - Featured Image

TLDR

CVE-2026-24679 is a critical security vulnerability affecting FreeRDP, a free implementation of the Remote Desktop Protocol. Prior to version 3.22.0, the URBDRC client used server-supplied interface numbers as array indices without bounds checks, leading to an out-of-bounds read in libusb_udev_select_interface. This vulnerability, rated with a CVSS score of 9.1, can be exploited remotely without authentication, potentially leading to full system compromise, data theft, or malware installation. Users are advised to apply the latest security patches from FreeRDP and monitor their systems for any signs of exploitation.