cbcvebase.
CVE-2019-1224
published 2019-08-14

CVE-2019-1224: An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory. An attacker who successfully…

PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
7.60%
93.8th percentile
An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the system. To exploit this vulnerability, an attacker would have to connect remotely to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows RDP server initializes memory.

Affected

28 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1803>= 10.0.0 < publicationpublication
microsoftwindows_10_version_1809>= 10.0.0 < publicationpublication
microsoftwindows_10_version_1903_for_32-bit_systems>= 10.0.0 < publicationpublication
microsoftwindows_10_version_1903_for_arm64-based_systems>= 10.0.0 < publicationpublication
microsoftwindows_10_version_1903_for_x64-based_systems>= 10.0.0 < publicationpublication
microsoftwindows_10_version_1909>= 10.0.0 < publicationpublication
microsoftwindows_server_2016
microsoftwindows_server_2016
microsoftwindows_server_2019>= 10.0.0 < publicationpublication
msrcwindows_10_version_1803_for_32-bit_systems
msrcwindows_10_version_1803_for_arm64-based_systems
msrcwindows_10_version_1803_for_x64-based_systems
msrcwindows_10_version_1809_for_32-bit_systems
msrcwindows_10_version_1809_for_arm64-based_systems
msrcwindows_10_version_1809_for_x64-based_systems
msrcwindows_10_version_1903_for_32-bit_systems
msrcwindows_10_version_1903_for_arm64-based_systems
msrcwindows_10_version_1903_for_x64-based_systems
msrcwindows_10_version_1909_for_32-bit_systems
msrcwindows_10_version_1909_for_arm64-based_systems
msrcwindows_10_version_1909_for_x64-based_systems
msrcwindows_server_2019

Detection & IOCsextracted from sources · hover to see the quote

portTCP/3389
  • Monitor for unauthenticated or anomalous RDP connections to TCP/3389, particularly from external sources, which may indicate exploitation attempts against the Windows RDP server memory disclosure vulnerability.
  • Enable Network Level Authentication (NLA) and alert on RDP authentication attempts that bypass NLA, as NLA requires valid credentials before the vulnerable RDP server memory handling is reached.
  • The disclosed information type is uninitialized memory — look for RDP sessions followed by rapid lateral movement or privilege escalation, consistent with using leaked memory contents to further compromise the system.
  • ·Exploitation is rated 'More Likely' for both latest and older software releases despite no known public exploit at time of advisory — patch priority should be treated as high.
  • ·Blocking TCP/3389 at the perimeter does not protect against attacks originating from inside the enterprise network.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.