CVE-2019-1290
published 2019-09-11CVE-2019-1290: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote…
PriorityP356high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
11.67%
95.5th percentile
A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0787, CVE-2019-0788, CVE-2019-1291.
Affected
66 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Attacker must control a malicious RDP server and trick a user into connecting via social engineering, DNS poisoning, or Man-in-the-Middle (MITM) technique — monitor for unexpected outbound RDP client connections to external/untrusted hosts ↗
- →Attacker may compromise a legitimate RDP server and host malicious code on it — monitor legitimate RDP servers for unexpected code or configuration changes ↗
- →Exploitation assessed as 'More Likely' for both latest and older software releases — prioritize detection and patching of Windows Remote Desktop Client across all supported versions ↗
- ·Vulnerability is in the Windows Remote Desktop CLIENT (not the server) — exploitation requires the client to initiate a connection to a malicious server; server-side RDP exposure alone is not the attack vector here ↗
- ·As of advisory publication, the vulnerability had NOT been publicly disclosed or exploited in the wild, but exploitation was rated 'More Likely' ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3mc8-g687-m3cf: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Clie
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-0788 [HIGH] GHSA-3mc8-g687-m3cf: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Clie
A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0787, CVE-2019-1290, CVE-2019-1291.
GHSA
GHSA-57q3-7fwg-5h3g: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Clie
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1290 [HIGH] GHSA-57q3-7fwg-5h3g: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Clie
A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0787, CVE-2019-0788, CVE-2019-1291.
GHSA
GHSA-jgwx-vv8h-22r9: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Clie
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1291 [HIGH] GHSA-jgwx-vv8h-22r9: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Clie
A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0787, CVE-2019-0788, CVE-2019-1290.
GHSA
GHSA-r5xj-829m-j295: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Clie
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-0787 [HIGH] GHSA-r5xj-829m-j295: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Clie
A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0788, CVE-2019-1290, CVE-2019-1291.
Microsoft
Remote Desktop Client Remote Code Execution Vulnerability
vendor_msrc·2019-09-10·CVSS 7.5
CVE-2019-1290 [HIGH] Remote Desktop Client Remote Code Execution Vulnerability
Remote Desktop Client Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker
No detection rules found.
No public exploits indexed.
Trendmicro
September Patch Tuesday: RDP Vulns and Zero-Days
blogs_trendmicro·2019-09-11·CVSS 8.8
[HIGH] September Patch Tuesday: RDP Vulns and Zero-Days
Exploits & Vulnerabilities
# September Patch Tuesday: RDP Vulns and Zero-Days
Microsoft’s September Patch Tuesday covered a total of 80 CVEs, 17 of which were rated critical.
By: Trend Micro
2019/09/11
Read time: ( words)
Save to Folio
Microsoft’s September Patch Tuesday covered 80 CVEs, 17 of which were rated critical, and included patches for Azure DevOps Server, Chakra Scripting engine, and Microsoft SharePoint. Sixty-two were labeled as important and included patches for Microsoft Excel, Microsoft Edge, and Microsoft Exchange. Only one was rated as moderate.
### Remote desktop vulnerabilities
Continuing the trend from last month, several of the critical patches were for Remote Desktop Clients and are CVE-2019-0787, CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291 — all Remote Co
Trendmicro
September Patch Tuesday: RDP Vulns and Zero-Days
blogs_trendmicro·2019-09-11·CVSS 8.8
[HIGH] September Patch Tuesday: RDP Vulns and Zero-Days
# September Patch Tuesday: RDP Vulns and Zero-Days
Microsoft’s September Patch Tuesday covered a total of 80 CVEs, 17 of which were rated critical.
By: Trend Micro
Sep 11, 2019
Read time: ( words)
Save to Folio
Microsoft’s September Patch Tuesday covered 80 CVEs, 17 of which were rated critical, and included patches for Azure DevOps Server, Chakra Scripting engine, and Microsoft SharePoint. Sixty-two were labeled as important and included patches for Microsoft Excel, Microsoft Edge, and Microsoft Exchange. Only one was rated as moderate.
### Remote desktop vulnerabilities
Continuing the trend from last month, several of the critical patches were for Remote Desktop Clients and are CVE-2019-0787, CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291 — all Remote Code Execution (RCE) vulnera
Tenable
Microsoft's September 2019 Patch Tuesday: Tenable Roundup
blogs_tenable·2019-09-10
Microsoft's September 2019 Patch Tuesday: Tenable Roundup
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
September 2019 Patch Tuesday – 79 Vulns, 17 Critical, Remote Desktop Client, SharePoint, Exploited PrivEsc
blogs_qualys·2019-09-10·CVSS 8.8
[HIGH] September 2019 Patch Tuesday – 79 Vulns, 17 Critical, Remote Desktop Client, SharePoint, Exploited PrivEsc
This month’s Microsoft Patch Tuesday addresses 79 vulnerabilities with 17 of them labeled as Critical. Of the 17 Critical vulns, 8 are for scripting engines and browsers, 4 are for the Remote Desktop Client, and 3 are for SharePoint. In addition, Microsoft has again patched a critical vulnerability in LNK files, along with a vuln in Azure DevOps / TFS. Adobe has also released patches for Flash and Application Manager.
Update: Following Patch Tuesday, Microsoft updated the entries for CVE-2019-1214 and CVE-2019-1215 to remove the “exploited” label.
## Workstation Patches
Scripting Engine, Browser, and LNK patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are
Qualys
September 2019 Patch Tuesday - 79 Vulns, 17 Critical, Remote Desktop Client, SharePoint, Exploited PrivEsc | Qualys
blogs_qualys·2019-09-10·CVSS 8.8
[HIGH] September 2019 Patch Tuesday - 79 Vulns, 17 Critical, Remote Desktop Client, SharePoint, Exploited PrivEsc | Qualys
This month’s Microsoft Patch Tuesday addresses 79 vulnerabilities with 17 of them labeled as Critical. Of the 17 Critical vulns, 8 are for scripting engines and browsers, 4 are for the Remote Desktop Client, and 3 are for SharePoint. In addition, Microsoft has again patched a critical vulnerability in LNK files, along with a vuln in Azure DevOps / TFS. Adobe has also released patches for Flash and Application Manager.
Update: Following Patch Tuesday, Microsoft updated the entries for CVE-2019-1214 and CVE-2019-1215 to remove the “exploited” label.
### Workstation Patches
Scripting Engine, Browser, and LNK patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are
2019-09-11
Published