cbcvebase.
CVE-2018-0886
published 2018-03-14

CVE-2018-0886: The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows…

PriorityP262high7CVSS 3.0
AVLACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
82.33%
99.6th percentile
The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka "CredSSP Remote Code Execution Vulnerability".

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoftwindows_server_2016
microsoftwindows_server_2016
microsoft_corporationwindows
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_10_version_1703
msrcwindows_10_version_1709
msrcwindows_10_version_1803
msrcwindows_10_version_1809
msrcwindows_10_version_1903
msrcwindows_10_version_1909
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/preempt/rdpy
urlhttps://github.com/preempt/credssp
commandpython credssp/bin/gen_cmd.py -c ExportedCert -o exploitc.pem -k exploitk.pem CMD
commandpython /usr/local/bin/rdpy-rdpcredsspmitm.py -k exploitk.pem -c exploitc.pem TargetServer
path/usr/local/bin/rdpy-rdpcredsspmitm.py
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44453.zip
  • Monitor for man-in-the-middle activity on RDP (TCP 3389) sessions, specifically unexpected DCE/RPC calls originating from a relay position after CredSSP authentication completes.
  • Detect execution of rdpy-rdpcredsspmitm.py or presence of the credssp PoC tooling (gen_cmd.py, exploitc.pem, exploitk.pem) on Linux hosts, which are indicators of active exploitation tooling for CVE-2018-0886.
  • Alert on ARP poisoning activity in network segments containing RDP servers, as ARP poisoning is a prerequisite attack vector enabling the CredSSP MitM relay.
  • Monitor for unexpected DCE/RPC calls to domain controllers following RDP session establishment, which may indicate credential relay from a stolen CredSSP session.
  • Detect cloning or presence of the GitHub repositories github.com/preempt/rdpy and github.com/preempt/credssp on hosts, as these are the exploit dependencies.
  • ·The Group Policy settings required for full CredSSP protection are disabled by default; patching alone is insufficient — Group Policy must be explicitly enabled on both client and server to fully mitigate CVE-2018-0886.
  • ·Both the RDP server and all connecting clients must be patched and running the updated CredSSP protocol; a mismatch (patched server, unpatched client or vice versa) leaves the environment vulnerable and may also cause compatibility errors.
  • ·Microsoft's phased update rollout means the May 2018 update enforces CredSSP security by default; environments that only applied the March 2018 patch without enabling Group Policy remain partially exposed until the enforcement update is applied.

CVSS provenance

nvdv3.07.0HIGHCVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vendor_msrc7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.