3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
A Windows exploit that grants system-level access to attackers is currently up for sale on the dark web for $220,000.
Someone is currently trying to sell a Windows exploit on the dark web for $220,000. The exploit specifically targets Windows Remote Desktop Services and gives an attacker system-level privileges on a compromised computer.
A relatively new user, who goes by the forum name of "Kamirmassabi," recently posted an ad in the malware and exploits section of an underground forum. The ad specifically mentions that the vulnerability is "zero day," and calls interested buyers to contact the seller via private messages to discuss the purchase.
The vulnerability itself is tracked as CVE-2026-21533. It allows an attacker to manipulate a specific service configuration registry key under the TermService protocol and elevate their privileges to system-level on a targeted computer.
However, for the exploit to work, an attacker needs to already have low-privilege authenticated access to a local machine. This means hackers would have to gain initial access to a targeted system first, likely using one of the well-established phishing schemes, like tricking targeted users into downloading malicious files that would grant an attacker initial access to the machine.
What's interesting about this specific exploit is that Microsoft already fixed it. The vulnerability was patched as part of February's Patch Tuesday update. The threat had a massive radius and affected various builds of Windows 10 and Windows 11, as well as server editions ranging from Windows Server 2012 up to Windows Server 2025.
Attackers are probably betting that many enterprise networks haven't updated their systems yet, and that's where they're looking for an opportunity to strike. If the vulnerability were unaddressed, its asking price on the dark web probably would've been much higher.
We're seeing an emerging trend in the cybersecurity space, where bad actors have started acting as vendors, instead of carrying out the attacks themselves. Last week, we uncovered a plot where a fake RMM company was using its landing page as a storefront for renting out legitimate EV certificates to hackers.
If you're an admin of an enterprise network, you should install the February 2026 Security Update immediately to remove this vulnerability from your system.
Hope you enjoyed this news post. Feedback welcome.
Posted Tuesday 10 March 2026 at 1:37 pm AEST (my time).
News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.