cbcvebase.
CVE-2019-1291
published 2019-09-11

CVE-2019-1291: A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote…

PriorityP356high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
11.67%
95.5th percentile
A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0787, CVE-2019-0788, CVE-2019-1290.

Affected

66 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered when a user connects to a malicious RDP server — monitor for outbound RDP connections to untrusted/external hosts, especially those initiated via social engineering, DNS poisoning, or MITM scenarios.
  • Monitor for exploitation of the Windows Remote Desktop Client (not the server) — the vulnerable component is the RDP client handling of connection requests from a server, so detection should focus on client-side RDP process behavior.
  • Post-exploitation activity to watch for includes new account creation with full user rights, program installation, and data modification/deletion following an RDP client session to an untrusted server.
  • ·No public exploit exists at time of advisory publication; however, Microsoft rates exploitation as 'More Likely' for both latest and older software releases — prioritize patching accordingly.
  • ·An attacker may also compromise a legitimate, trusted RDP server and plant malicious code there — perimeter-only blocking of unknown RDP servers is insufficient; trusted servers must also be considered a risk vector.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.