cbcvebase.
CVE-2019-0788
published 2019-09-11

CVE-2019-0788: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote…

PriorityP356high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
11.67%
95.5th percentile
A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0787, CVE-2019-1290, CVE-2019-1291.

Affected

59 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered when a user connects to a malicious/attacker-controlled RDP server — monitor for outbound RDP client connections to unknown or untrusted servers
  • Attacker delivery vectors include social engineering, DNS poisoning, or Man-in-the-Middle (MITM) interception of RDP connections — monitor for DNS anomalies and unexpected RDP redirections
  • Compromised legitimate RDP servers hosting malicious code are also a vector — audit trusted RDP server integrity and watch for unexpected code execution post-connection
  • ·Exploitation assessed as 'More Likely' for both latest and older software releases — patch prioritization should be high across all supported Windows versions
  • ·The vulnerability is in the Windows Remote Desktop CLIENT (not the server) — the attack surface is client-side, meaning endpoint RDP client patching is the critical remediation path
  • ·CVE-2019-0788 is distinct from related RDP client RCE CVEs CVE-2019-0787, CVE-2019-1290, and CVE-2019-1291 — all four should be addressed together

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.