CVE-2019-0887
published 2019-07-15CVE-2019-0887: A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an authenticated attacker abuses clipboard…
PriorityP263high8CVSS 3.1
AVNACLPRLUIRSUCHIHAH
EPSS
70.97%
99.3th percentile
A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an authenticated attacker abuses clipboard redirection, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | multiple | — | — |
| microsoft | remote_desktop_client | < 1.2.2691 | 1.2.2691 |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_11_21h2 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1703 | — | — |
| msrc | windows_10_version_1709 | — | — |
| msrc | windows_10_version_1803 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_1903 | — | — |
| msrc | windows_11 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2019-0887 is exploited via clipboard redirection abuse in Remote Desktop Services; an attacker must have already compromised a system running RDP/Terminal Services and wait for a victim to connect — monitor for malicious RDP server connections combined with clipboard redirection activity. ↗
- →Inspect mstscax.dll and the CFormatDataPacker::ValidateFilePaths function for path validation logic; exploitation targets this code path in the Windows RDP client to write files outside the intended directory via clipboard redirection. ↗
- →The patch for CVE-2019-0887 is delivered via KB4507450 and related July 2019 cumulative updates; absence of these KBs on systems running Remote Desktop Services indicates exposure. ↗
- ·Exploitation requires the attacker to have already compromised a system running Remote Desktop Services first, then wait for a victim to connect — it is not a zero-click remote pre-auth vulnerability. ↗
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
vendor_msrc8.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v82h-xf3f-qj32: A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an authenticated attacker abuses
ghsa_unreviewed·2022-05-24
CVE-2019-0887 [HIGH] CWE-22 GHSA-v82h-xf3f-qj32: A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an authenticated attacker abuses
A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an authenticated attacker abuses clipboard redirection, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
Microsoft
Remote Desktop Services Remote Code Execution Vulnerability
vendor_msrc·2019-07-09·CVSS 8.0
CVE-2019-0887 [HIGH] Remote Desktop Services Remote Code Execution Vulnerability
Remote Desktop Services Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an authenticated attacker abuses clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker must already have compromised a system running Remote Desktop Services, and then wait for a victim system to connect to Remote Desktop Services.
The update addresses the vulnerability by correcting how Remote Desktop Services handles clipboard redirection.
Microsoft Windows: Microso
No detection rules found.
No public exploits indexed.
Checkpoint
Reverse RDP – The Path Not Taken
blogs_checkpoint·2020-05-14
CVE-2019-0887 Reverse RDP – The Path Not Taken
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Reverse RDP – The Path Not Taken
Research by: Eyal Itkin
## Overview
During 2019, we published our research on the Reverse RDP Attack: Part 1 and Part 2 . In those blog posts, we descr
Checkpoint
Reverse RDP Attack: The Hyper-V Connection
blogs_checkpoint·2019-08-07·CVSS 8.0
CVE-2019-0887 [HIGH] Reverse RDP Attack: The Hyper-V Connection
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Reverse RDP Attack: The Hyper-V Connection
Research by: Eyal Itkin
## Overview
Earlier this year, we published our research on the Reverse RDP Attack . In our previous blog post , we d
Krebs
Patch Tuesday Lowdown, July 2019 Edition
blogs_krebs·2019-07-13·CVSS 9.8
CVE-2019-0785 [CRITICAL] Patch Tuesday Lowdown, July 2019 Edition
Microsoft today released software updates to plug almost 80 security holes in its Windows operating systems and related software. Among them are fixes for two zero-day flaws that are actively being exploited in the wild, and patches to quash four other bugs that were publicly detailed prior to today, potentially giving attackers a head start in working out how to use them for nefarious purposes.
The DHCP weakness (CVE-2019-0785) exists in most supported versions of Windows server, from Windows Server 2012 through Server 2019.
Microsoft said an unauthenticated attacker could use the DHCP flaw to seize total, remote control over vulnerable systems simply by sending a specially crafted data packet to a Windows computer. For those keeping count, this is the fifth time this year that Redmond
Tenable
Microsoft’s July 2019 Patch Tuesday: What You Need to Know
blogs_tenable·2019-07-09
Microsoft’s July 2019 Patch Tuesday: What You Need to Know
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Krebs
Patch Tuesday Lowdown, July 2019 Edition
blogs_krebs·2019-07-09·CVSS 9.8
[CRITICAL] Patch Tuesday Lowdown, July 2019 Edition
Microsoft today released software updates to plug almost 80 security holes in its Windows operating systems and related software. Among them are fixes for two zero-day flaws that are actively being exploited in the wild, and patches to quash four other bugs that were publicly detailed prior to today, potentially giving attackers a head start in working out how to use them for nefarious purposes.
Zero-days and publicly disclosed flaws aside for the moment, probably the single most severe vulnerability addressed in this month’s patch batch (at least for enterprises) once again resides in the component of Windows responsible for automatically assigning Internet addresses to host computers — a function called the “ Windows DHCP server .”
The DHCP weakness ( CVE-2019-0785 ) exists in most sup
Checkpoint
Reverse RDP Attack: Code Execution on RDP Clients
blogs_checkpoint·2019-02-05·CVSS 8.0
CVE-2019-0887 [HIGH] Reverse RDP Attack: Code Execution on RDP Clients
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Reverse RDP Attack: Code Execution on RDP Clients
Research by: Eyal Itkin
Overview
Used by thousands of IT professionals and security researchers worldwide, the Remote Desktop Protocol (R
http://www.securityfocus.com/bid/108964https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0887https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/https://research.checkpoint.com/reverse-rdp-the-hyper-v-connection/http://www.securityfocus.com/bid/108964https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0887https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/https://research.checkpoint.com/reverse-rdp-the-hyper-v-connection/
2019-07-15
Published