When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Hackers are selling a Windows exploit for $220,000 on the dark web

A Windows exploit that grants system-level access to attackers is currently up for sale on the dark web for $220,000.

Neowin · with 0 comments

Toy hacker hacking
Image via: Unsplash

Someone is currently trying to sell a Windows exploit on the dark web for $220,000. The exploit specifically targets Windows Remote Desktop Services and gives an attacker system-level privileges on a compromised computer.

A relatively new user, who goes by the forum name of "Kamirmassabi," recently posted an ad in the malware and exploits section of an underground forum. The ad specifically mentions that the vulnerability is "zero day," and calls interested buyers to contact the seller via private messages to discuss the purchase.

The vulnerability itself is tracked as CVE-2026-21533. It allows an attacker to manipulate a specific service configuration registry key under the TermService protocol and elevate their privileges to system-level on a targeted computer.

However, for the exploit to work, an attacker needs to already have low-privilege authenticated access to a local machine. This means hackers would have to gain initial access to a targeted system first, likely using one of the well-established phishing schemes, like tricking targeted users into downloading malicious files that would grant an attacker initial access to the machine.

What's interesting about this specific exploit is that Microsoft already fixed it. The vulnerability was patched as part of February's Patch Tuesday update. The threat had a massive radius and affected various builds of Windows 10 and Windows 11, as well as server editions ranging from Windows Server 2012 up to Windows Server 2025.

Attackers are probably ******* that many enterprise networks haven't updated their systems yet, and that's where they're looking for an opportunity to strike. If the vulnerability were unaddressed, its asking price on the dark web probably would've been much higher.

We're seeing an emerging trend in the cybersecurity space, where bad actors have started acting as vendors, instead of carrying out the attacks themselves. Last week, we uncovered a plot where a fake RMM company was using its landing page as a storefront for renting out legitimate EV certificates to hackers.

If you're an admin of an enterprise network, you should install the February 2026 Security Update immediately to remove this vulnerability from your system.

Via: Dark Web Informer (X)

Google Chrome vulnerability
Next Article

Google adding a WebGPU kill switch for Chrome on Android 16

Anker Prime 3 in 1 charging station
Previous Article

Grab Anker Prime 3-in-1 wireless charging station for a discounted price on Amazon

0 Comments

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here