cbcvebase.
CVE-2019-0887
published 2019-07-15

CVE-2019-0887: A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an authenticated attacker abuses clipboard…

PriorityP263high8CVSS 3.1
AVNACLPRLUIRSUCHIHAH
EPSS
70.97%
99.3th percentile
A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an authenticated attacker abuses clipboard redirection, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftmultiple
microsoftremote_desktop_client< 1.2.26911.2.2691
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_11_21h2
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_10
msrcwindows_10_version_1607
msrcwindows_10_version_1703
msrcwindows_10_version_1709
msrcwindows_10_version_1803
msrcwindows_10_version_1809
msrcwindows_10_version_1903
msrcwindows_11
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

filenamemstscax.dll
  • CVE-2019-0887 is exploited via clipboard redirection abuse in Remote Desktop Services; an attacker must have already compromised a system running RDP/Terminal Services and wait for a victim to connect — monitor for malicious RDP server connections combined with clipboard redirection activity.
  • Inspect mstscax.dll and the CFormatDataPacker::ValidateFilePaths function for path validation logic; exploitation targets this code path in the Windows RDP client to write files outside the intended directory via clipboard redirection.
  • The patch for CVE-2019-0887 is delivered via KB4507450 and related July 2019 cumulative updates; absence of these KBs on systems running Remote Desktop Services indicates exposure.
  • ·Exploitation requires the attacker to have already compromised a system running Remote Desktop Services first, then wait for a victim to connect — it is not a zero-click remote pre-auth vulnerability.

CVSS provenance

nvdv3.18.0HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
vendor_msrc8.0HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.