cbcvebase.
CVE-2019-1290
published 2019-09-11

CVE-2019-1290: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote…

PriorityP356high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
11.67%
95.5th percentile
A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0787, CVE-2019-0788, CVE-2019-1291.

Affected

66 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10

Detection & IOCsextracted from sources · hover to see the quote

  • Attacker must control a malicious RDP server and trick a user into connecting via social engineering, DNS poisoning, or Man-in-the-Middle (MITM) technique — monitor for unexpected outbound RDP client connections to external/untrusted hosts
  • Attacker may compromise a legitimate RDP server and host malicious code on it — monitor legitimate RDP servers for unexpected code or configuration changes
  • Exploitation assessed as 'More Likely' for both latest and older software releases — prioritize detection and patching of Windows Remote Desktop Client across all supported versions
  • ·Vulnerability is in the Windows Remote Desktop CLIENT (not the server) — exploitation requires the client to initiate a connection to a malicious server; server-side RDP exposure alone is not the attack vector here
  • ·As of advisory publication, the vulnerability had NOT been publicly disclosed or exploited in the wild, but exploitation was rated 'More Likely'

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.