cbcvebase.
CVE-2019-0787
published 2019-09-11

CVE-2019-0787: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote…

PriorityP356high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
11.72%
95.5th percentile
A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0788, CVE-2019-1290, CVE-2019-1291.

Affected

60 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered when a user connects to a malicious RDP server — monitor for outbound RDP connections to untrusted/external hosts, especially those initiated via social engineering, DNS poisoning, or MITM techniques.
  • Attacker may compromise a legitimate RDP server and host malicious code on it — monitor for unexpected code execution or new account creation on RDP client machines following RDP sessions.
  • Post-exploitation indicators include program installation, data modification/deletion, and new account creation with full user rights on the connecting client machine.
  • ·Exploitation likelihood is rated 'More Likely' for both latest and older software releases, but as of advisory publication the vulnerability had NOT been publicly disclosed or exploited in the wild.
  • ·The flaw resides in the Windows Remote Desktop CLIENT (not the server) — detection focus should be on client-side behavior and outbound RDP connections, not inbound.
  • ·This CVE is distinct from three related RDP client RCE vulnerabilities and should be tracked separately in detection rules.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.