cbcvebase.
CVE-2019-1225
published 2019-08-14

CVE-2019-1225: An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory. An attacker who successfully…

PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
9.50%
94.8th percentile
An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the system. To exploit this vulnerability, an attacker would have to connect remotely to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows RDP server initializes memory.

Affected

29 ranges· showing 25
VendorProductVersion rangeFixed in
googlechrome_chrome
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1803>= 10.0.0 < publicationpublication
microsoftwindows_10_version_1809>= 10.0.0 < publicationpublication
microsoftwindows_10_version_1903_for_32-bit_systems>= 10.0.0 < publicationpublication
microsoftwindows_10_version_1903_for_arm64-based_systems>= 10.0.0 < publicationpublication
microsoftwindows_10_version_1903_for_x64-based_systems>= 10.0.0 < publicationpublication
microsoftwindows_10_version_1909>= 10.0.0 < publicationpublication
microsoftwindows_server_2016
microsoftwindows_server_2016
microsoftwindows_server_2019>= 10.0.0 < publicationpublication
msrcwindows_10_version_1803_for_32-bit_systems
msrcwindows_10_version_1803_for_arm64-based_systems
msrcwindows_10_version_1803_for_x64-based_systems
msrcwindows_10_version_1809_for_32-bit_systems
msrcwindows_10_version_1809_for_arm64-based_systems
msrcwindows_10_version_1809_for_x64-based_systems
msrcwindows_10_version_1903_for_32-bit_systems
msrcwindows_10_version_1903_for_arm64-based_systems
msrcwindows_10_version_1903_for_x64-based_systems
msrcwindows_10_version_1909_for_32-bit_systems
msrcwindows_10_version_1909_for_arm64-based_systems
msrcwindows_10_version_1909_for_x64-based_systems

Detection & IOCsextracted from sources · hover to see the quote

portTCP/3389
  • Monitor for unauthenticated or anomalous RDP connections to TCP/3389, particularly from external sources, which may indicate exploitation attempts against the Windows RDP server memory disclosure vulnerability.
  • Enable Network Level Authentication (NLA) and alert on RDP authentication attempts that bypass NLA, as NLA requires valid credentials before the vulnerable RDP server memory handling is reached.
  • Flag systems where Remote Desktop Services are enabled and unpatched (missing KB4512501, KB4511553, or KB4540673) as high-priority targets for exploitation, given the 'Exploitation More Likely' rating for both latest and older software releases.
  • ·The vulnerability is triggered by a specially crafted application run over a remote RDP connection; exploitation requires network access to TCP/3389 on the target. Blocking this port at the enterprise perimeter is the primary network-level mitigation.
  • ·The disclosed information is specifically uninitialized memory contents from the Windows RDP server, which could be leveraged to further compromise the system (e.g., bypass ASLR or leak sensitive data).
  • ·No public exploit or active in-the-wild exploitation was confirmed at time of disclosure, but Microsoft rated exploitation as 'More Likely' for both current and older software releases.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.