Is CVE-2026-32157 a real mobile exploit targeting RCS protocols?

No, CVE-2026-32157 is officially assigned to a Use-After-Free Remote Code Execution vulnerability in the Microsoft Remote Desktop Client. The dark web listing claiming it is a zero-click RCS exploit for Android and iOS is a highly probable cybercrime scam designed to steal cryptocurrency from prospective buyers.

How can enterprise environments mitigate actual zero-click messaging risks?

To protect mobile devices against legitimate zero-click exploits targeting messaging protocols, organizations should use mobile device management (MDM) solutions to enforce strict security policies. This includes disabling the automated downloading of media attachments and turning off automatic voice-message transcriptions, which typically trigger vulnerable media codec parsers.

Back to Threat Intelligence

vulnerabilityhigh

Unmasking the Fake CVE-2026-32157 Mobile RCS Exploit

A dark web listing claims to sell a zero-click mobile exploit chain under CVE-2026-32157 targeting RCS on Android and iOS. However, threat intelligence reveals this is a cryptocurrency scam exploiting a real Microsoft Remote Desktop vulnerability identifier to deceive buyers.

Published: June 28, 2026Source date: June 15, 2026Check your domain

Unmasking the Fake CVE-2026-32157 Mobile RCS Exploit

Key Takeaways

The dark web listing offering a zero-click RCS exploit under the identifier CVE-2026-32157 is a highly probable cybercrime scam targeting other threat actors.
Officially, CVE-2026-32157 is a Remote Code Execution vulnerability in the Microsoft Remote Desktop Client, bearing no relation to Android or iOS messaging protocols.
Despite the fraudulent nature of the listing, genuine zero-click RCS exploits historically abuse media parsers such as audio codecs to achieve execution.
Organizations should enforce strict mobile device management policies, including disabling automated media downloads in messaging clients, to reduce mobile exposure.

Threat Actor Profile

@Primalhacks

aka Primalhacks

Origin: Dark Web Forum / Telegram
Motivation: Financial (Cryptocurrency Scam / Fraud)
Targets: Threat operators seeking mobile zero-day exploits
TTPs: Fraudulent CVE marketingFictional mobile exploit chainsCryptocurrency payment demandsTor-based C2 infrastructure advertising

Advertised Pricing of the Fraudulent Exploit Chain

Full Exploit Package

0 USD

Weekly Trial

0 USD

Single Day Trial

0 USD

Actual CVE-2026-32157 Severity (Microsoft RDP)

A Use-After-Free Remote Code Execution vulnerability in Microsoft Remote Desktop Client.

0.0

/ 10.0 cvss

High

Vulnerability Discrepancy: Claims vs. Real-world NVD Record

Fraudulent Dark Web Claims (@Primalhacks)

Zero-click exploit chain targeting RCS protocol
Impacts Google Jibe and carrier variants
Compromises Samsung Galaxy S25 Ultra & iPhone 17 series
Claims full device persistence and root/system control

Factual NVD / MSRC Record

Vulnerability is in Microsoft Remote Desktop Client
Use-After-Free (UAF) Remote Code Execution (RCE) flaw
CVSS Score: 8.8 (High Severity)
Patched in April 2026
No technical relevance to RCS, iOS, or Android

Theoretical Mobile Attack Chain Described in Listing

1Initial Accessmedium
Crafted RCS/SMS/MMS Payload
medium
2Executioncritical
Zero-Click Parser Exploit
critical
3Privilege Escalationhigh
Multi-Stage Memory-Resident Dropper
high
4Persistencehigh
Surviving Reboots & Resets
high
5C2 Controlhigh
Tor-Accessible Hidden Service (.onion)
high

MITRE ATT&CK Mapping for Claimed RCS Implant

Initial Access

T1444

SMS/MMS Delivery

Execution

T1203

Exploitation for Client Execution

Defense Evasion

T1620

Reflective Code Loading

T1406

Obfuscated Files or Information

Credential Access

T1453

Abuse Accessibility Features

Collection

T1429

Audio Capture

T1630

Screen Capture

Impact

T1582

SMS Control

T1616

Call Control

Threat Intelligence Infrastructure Markers

domain
darkforums.su
Underground forum hosting the fraudulent listing
domain
darkforums.su
Underground forum hosting the fraudulent listing
cve
CVE-2026-32157
Actual MS RDP Client Vulnerability, falsely claimed as mobile RCS zero-click
cve
CVE-2026-32157
Actual MS RDP Client Vulnerability, falsely claimed as mobile RCS zero-click
cve
CVE-2025-54957
Legitimate Dolby Unified Decoder zero-click vulnerability
cve
CVE-2025-54957
Legitimate Dolby Unified Decoder zero-click vulnerability
cve
CVE-2024-49415
Legitimate Samsung libsaped.so RCE vulnerability
cve
CVE-2024-49415
Legitimate Samsung libsaped.so RCE vulnerability

Unmasking the Fake CVE-2026-32157 Mobile Exploit | Femto Security Threat Intelligence

Unmasking the Fake CVE-2026-32157 Mobile RCS Exploit

Unmasking the Fake CVE-2026-32157 Mobile RCS Exploit

Key Takeaways

Threat Actor Profile

Advertised Pricing of the Fraudulent Exploit Chain

Actual CVE-2026-32157 Severity (Microsoft RDP)

Vulnerability Discrepancy: Claims vs. Real-world NVD Record

Theoretical Mobile Attack Chain Described in Listing

MITRE ATT&CK Mapping for Claimed RCS Implant

Threat Intelligence Infrastructure Markers

How to Defend Against Similar Threats

Threat Intel FAQ

Could a similar threat affect your organization?