CVE-2018-0886
published 2018-03-14CVE-2018-0886: The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows…
PriorityP262high7CVSS 3.0
AVLACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
82.33%
99.6th percentile
The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka "CredSSP Remote Code Execution Vulnerability".
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft_corporation | windows | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1703 | — | — |
| msrc | windows_10_version_1709 | — | — |
| msrc | windows_10_version_1803 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_1903 | — | — |
| msrc | windows_10_version_1909 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for man-in-the-middle activity on RDP (TCP 3389) sessions, specifically unexpected DCE/RPC calls originating from a relay position after CredSSP authentication completes. ↗
- →Detect execution of rdpy-rdpcredsspmitm.py or presence of the credssp PoC tooling (gen_cmd.py, exploitc.pem, exploitk.pem) on Linux hosts, which are indicators of active exploitation tooling for CVE-2018-0886. ↗
- →Alert on ARP poisoning activity in network segments containing RDP servers, as ARP poisoning is a prerequisite attack vector enabling the CredSSP MitM relay. ↗
- →Monitor for unexpected DCE/RPC calls to domain controllers following RDP session establishment, which may indicate credential relay from a stolen CredSSP session. ↗
- →Detect cloning or presence of the GitHub repositories github.com/preempt/rdpy and github.com/preempt/credssp on hosts, as these are the exploit dependencies. ↗
- ·The Group Policy settings required for full CredSSP protection are disabled by default; patching alone is insufficient — Group Policy must be explicitly enabled on both client and server to fully mitigate CVE-2018-0886. ↗
- ·Both the RDP server and all connecting clients must be patched and running the updated CredSSP protocol; a mismatch (patched server, unpatched client or vice versa) leaves the environment vulnerable and may also cause compatibility errors. ↗
- ·Microsoft's phased update rollout means the May 2018 update enforces CredSSP security by default; environments that only applied the March 2018 patch without enabling Group Policy remain partially exposed until the enforcement update is applied. ↗
CVSS provenance
nvdv3.07.0HIGHCVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vendor_msrc7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
PEPPERL+FUCHS VisuNet RM, VisuNet PC, and Box Thin Client
cisa_ics·2018-07-17·CVSS 7.0
[HIGH] PEPPERL+FUCHS VisuNet RM, VisuNet PC, and Box Thin Client
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
PEPPERL+FUCHS VisuNet RM, VisuNet PC, and Box Thin Client
Last RevisedJuly 17, 2018
Alert CodeICSA-18-198-03
## 1. EXECUTIVE SUMMARY
-
CVSS v3 7.5
- Vendor: PEPPERL+FUCHS
- Equipment: VisuNet RM, VisuNet PC, Box Thin Client (BTC)
- Vulnerability: Improper Authentication
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow attackers to intercept sensitive communications, establish a man-in-the-middle attack, achieve administrator privileges, and execute remote code.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following PEPPERL+FUCHS pro
Microsoft
CredSSP Remote Code Execution Vulnerability
vendor_msrc·2018-03-13·CVSS 7.1
CVE-2018-0886 [HIGH] CredSSP Remote Code Execution Vulnerability
CredSSP Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system.
CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack.
As an example of how an attacker would exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view,
GHSA
GHSA-hrh9-4g5w-7q9j: The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-14
CVE-2018-0886 [HIGH] CWE-287 GHSA-hrh9-4g5w-7q9j: The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka "CredSSP Remote Code Execution Vulnerability".
No detection rules found.
Trendmicro
March Patch Tuesday Fixes 75 Security Issues
blogs_trendmicro·2018-03-14·CVSS 7.0
[HIGH] March Patch Tuesday Fixes 75 Security Issues
Exploits y vulnerabilidades
## March Patch Tuesday Fixes 75 Security Issues
Microsoft’s Patch Tuesday has fixes for 75 security issues and a change of tack in its patch deployment process for Windows 10. Of the vulnerabilities patched, 14 were rated as Critical and 61 Important.
By: Trend Micro Mar 14, 2018 Read time: ( words)
Save to Folio
Microsoft’s Patch Tuesday for March is an eventful one, with updates that comprise fixes for 75 security issues and a change of tack in its patch deployment process for Windows 10. Of the vulnerabilities Microsoft patched for this month, 14 were rated as Critical and 61 Important. Six of these were disclosed through Trend Micro’s Zero Day Initiative : CVE-2018-0815 , CVE-2018-0816 , CVE-2018-0878 , CVE-2018-0889 , CVE-2018-0929 , and CVE-2018-0977
Trendmicro
March Patch Tuesday Fixes 75 Security Issues
blogs_trendmicro·2018-03-14·CVSS 7.0
[HIGH] March Patch Tuesday Fixes 75 Security Issues
Exploits & Vulnerabilities
# March Patch Tuesday Fixes 75 Security Issues
Microsoft’s Patch Tuesday has fixes for 75 security issues and a change of tack in its patch deployment process for Windows 10. Of the vulnerabilities patched, 14 were rated as Critical and 61 Important.
By: Trend Micro
2018/03/14
Read time: ( words)
Save to Folio
Microsoft’s Patch Tuesday for March is an eventful one, with updates that comprise fixes for 75 security issues and a change of tack in its patch deployment process for Windows 10. Of the vulnerabilities Microsoft patched for this month, 14 were rated as Critical and 61 Important. Six of these were disclosed through Trend Micro’s Zero Day Initiative: CVE-2018-0815, CVE-2018-0816, CVE-2018-0878, CVE-2018-0889, CVE-2018-0929, and CVE-2018-0977.
Microso
Trendmicro
March Patch Tuesday Fixes 75 Security Issues
blogs_trendmicro·2018-03-14·CVSS 7.0
[HIGH] March Patch Tuesday Fixes 75 Security Issues
Exploits & Vulnerabilities
## March Patch Tuesday Fixes 75 Security Issues
Microsoft’s Patch Tuesday has fixes for 75 security issues and a change of tack in its patch deployment process for Windows 10. Of the vulnerabilities patched, 14 were rated as Critical and 61 Important.
By: Trend Micro 2018/03/14 Read time: ( words)
Save to Folio
Microsoft’s Patch Tuesday for March is an eventful one, with updates that comprise fixes for 75 security issues and a change of tack in its patch deployment process for Windows 10. Of the vulnerabilities Microsoft patched for this month, 14 were rated as Critical and 61 Important. Six of these were disclosed through Trend Micro’s Zero Day Initiative : CVE-2018-0815 , CVE-2018-0816 , CVE-2018-0878 , CVE-2018-0889 , CVE-2018-0929 , and CVE-2018-0977 .
Trendmicro
March Patch Tuesday Fixes 75 Security Issues
blogs_trendmicro·2018-03-14·CVSS 7.0
[HIGH] March Patch Tuesday Fixes 75 Security Issues
Ausnutzung von Schwachstellen
## March Patch Tuesday Fixes 75 Security Issues
Microsoft’s Patch Tuesday has fixes for 75 security issues and a change of tack in its patch deployment process for Windows 10. Of the vulnerabilities patched, 14 were rated as Critical and 61 Important.
By: Trend Micro Mar 14, 2018 Read time: ( words)
Save to Folio
Microsoft’s Patch Tuesday for March is an eventful one, with updates that comprise fixes for 75 security issues and a change of tack in its patch deployment process for Windows 10. Of the vulnerabilities Microsoft patched for this month, 14 were rated as Critical and 61 Important. Six of these were disclosed through Trend Micro’s Zero Day Initiative : CVE-2018-0815 , CVE-2018-0816 , CVE-2018-0878 , CVE-2018-0889 , CVE-2018-0929 , and CVE-2018-097
Trendmicro
March Patch Tuesday Fixes 75 Security Issues
blogs_trendmicro·2018-03-14·CVSS 7.0
[HIGH] March Patch Tuesday Fixes 75 Security Issues
Exploits & Vulnerabilities
## March Patch Tuesday Fixes 75 Security Issues
Microsoft’s Patch Tuesday has fixes for 75 security issues and a change of tack in its patch deployment process for Windows 10. Of the vulnerabilities patched, 14 were rated as Critical and 61 Important.
By: Trend Micro Mar 14, 2018 Read time: ( words)
Save to Folio
Microsoft’s Patch Tuesday for March is an eventful one, with updates that comprise fixes for 75 security issues and a change of tack in its patch deployment process for Windows 10. Of the vulnerabilities Microsoft patched for this month, 14 were rated as Critical and 61 Important. Six of these were disclosed through Trend Micro’s Zero Day Initiative : CVE-2018-0815 , CVE-2018-0816 , CVE-2018-0878 , CVE-2018-0889 , CVE-2018-0929 , and CVE-2018-0977 .
Qualys
March 2018 Patch Tuesday – 75 Microsoft Vulnerabilities, 7 for Adobe
blogs_qualys·2018-03-13·CVSS 7.5
[HIGH] March 2018 Patch Tuesday – 75 Microsoft Vulnerabilities, 7 for Adobe
Today’s Patch Tuesday covers a lot of vulnerabilities, but in terms of critical updates, it is still light. Out of the 75 vulnerabilities covered, only 15 are marked as critical. Adobe has released patches as well, covering 7 vulnerabilities.
All of the critical vulnerabilities from Microsoft are in browsers and browser-related technologies. It is recommended that these be prioritized for workstation-type devices. Any system that accesses the Internet via a browser should be patched.
## CredSSP
Out of the remaining “Important” vulnerabilities, one stands out. CVE-2018-0886 is a vulnerability in CredSSP, which is used to process authentication requests. While CredSSP is used for other applications, the attack scenario mentioned by Microsoft involves Remote Desktop. The update covers both
Talos
Microsoft Patch Tuesday - March 2018
blogs_talos·2018-03-13·CVSS 7.5
[HIGH] Microsoft Patch Tuesday - March 2018
### Microsoft Patch Tuesday - March 2018 Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 74 new vulnerabilities, with 14 of them rated critical and 59 of them rated important. These vulnerabilities impact Internet Explorer, Edge, Exchange, Scripting Engine, Windows Shell and more.
#### Critical Vulnerabilities This month, Microsoft is addressing 14 vulnerabilities that are rated as critical.
The vulnerabilities rated as critical are listed below:
CVE-2018-0872 - Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-0874 - Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-0876 - Scripting Engine Memory Corruption Vulnerabi
Qualys
March 2018 Patch Tuesday - 75 Microsoft Vulnerabilities, 7 for Adobe | Qualys
blogs_qualys·2018-03-13·CVSS 7.5
[HIGH] March 2018 Patch Tuesday - 75 Microsoft Vulnerabilities, 7 for Adobe | Qualys
Today’s Patch Tuesday covers a lot of vulnerabilities, but in terms of critical updates, it is still light. Out of the 75 vulnerabilities covered, only 15 are marked as critical. Adobe has released patches as well, covering 7 vulnerabilities.
All of the critical vulnerabilities from Microsoft are in browsers and browser-related technologies. It is recommended that these be prioritized for workstation-type devices. Any system that accesses the Internet via a browser should be patched.
### CredSSP
Out of the remaining “Important” vulnerabilities, one stands out. CVE-2018-0886 is a vulnerability in CredSSP, which is used to process authentication requests. While CredSSP is used for other applications, the attack scenario mentioned by Microsoft involves Remote Desktop. The update covers bot
Talos
Microsoft Patch Tuesday - March 2018
blogs_talos·2018-03-13·CVSS 7.5
[HIGH] Microsoft Patch Tuesday - March 2018
## Microsoft Patch Tuesday - March 2018
## Microsoft Patch Tuesday - March 2018 Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 74 new vulnerabilities, with 14 of them rated critical and 59 of them rated important. These vulnerabilities impact Internet Explorer, Edge, Exchange, Scripting Engine, Windows Shell and more.
## Critical Vulnerabilities This month, Microsoft is addressing 14 vulnerabilities that are rated as critical.
The vulnerabilities rated as critical are listed below:
CVE-2018-0872 - Chakra Scripting Engine Memory Corruption Vulnerability CVE-2018-0874 - Chakra Scripting Engine Memory Corruption Vulnerability CVE-2018-0876 - Script
Crowdstrike
Security Advisory: Critical Vulnerability in CredSSP Allows Remote Execution
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Security Advisory: Critical Vulnerability in CredSSP Allows Remote Execution
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
http://www.securityfocus.com/bid/103265http://www.securitytracker.com/id/1040506https://blog.preempt.com/security-advisory-credssphttps://github.com/preempt/credssphttps://ics-cert.us-cert.gov/advisories/ICSA-18-198-03https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0886https://www.exploit-db.com/exploits/44453/http://www.securityfocus.com/bid/103265http://www.securitytracker.com/id/1040506https://blog.preempt.com/security-advisory-credssphttps://github.com/preempt/credssphttps://ics-cert.us-cert.gov/advisories/ICSA-18-198-03https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0886https://www.exploit-db.com/exploits/44453/
2018-03-14
Published