Categories: Computer SecurityCyber Security News

New RDP Zero-Day Bug Let Hackers to Bypass the Windows Lock Screen on Remote Desktop Sessions

RDP Zero-Day Bug Let Hackers to Bypass the Windows Lock screen on Remote Desktop SessionsRDP Zero-Day Bug Let Hackers to Bypass the Windows Lock screen on Remote Desktop Sessions

A new Zero-day vulnerability in Microsoft Windows Remote Desktop protocol let attackers hijack the lock screen on remote desktop sessions.

Security researcher Joe Tammariello of Carnegie Mellon University discovered a Zero-day vulnerability in Microsoft Windows Remote Desktop that handles client authentication through NLA.

Network Level Authentication (NLA) is an authentication method used to enhance RD Session Host server security, by authenticating the user before establishing the RD connection and the Windows lock screen appears.

Microsoft recommended enabling NLA to defend against the critical BlueKeep RDP vulnerability(CVE-2019-0708).

The vulnerability affects Windows versions Windows 10 1803 and Windows Server 2019; it can be tracked as CVE-2019-9510 and assigned CVE score of 4.6.

“If a network anomaly triggers a temporary RDP disconnect, upon automatic reconnection the RDP session will be restored to an unlocked state, regardless of how the remote system was left,” explained Will Dormann.

Attack Scenario

1. The user connects to remote Windows 10 1803 or Server 2019 or newer system using RDP.
2. User locks remote desktop session.
3. User leaves the connected system used as an RDP client unattended.

In this case, an attacker could interrupt the network connectivity of the RDP client system, which let hackers gain access to the targeted system without requiring any credentials.

“Two-factor authentication systems that integrate with the Windows login screen, such as Duo Security MFA, are also bypassed using this mechanism.”

Mitigations

  • Users are recommended to lock the local computers instead of the remote computer.
  • RDP sessions should be disconnected rather than locked

Tammariello reported the vulnerability to Microsoft, but the tech giant said: “behavior does not meet the Microsoft Security Servicing Criteria for Windows.”

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself updated.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Leave a Comment
Share
Published by
Gurubaran
Tags: computer securityRDPWindows Lock Screen
6 years ago

Recent Posts

Hackers Weaponize Google Forms to Bypass Email Security and Steal Login Credentials

Threat actors are increasingly leveraging Google Forms, the tech giant’s widely-used form and quiz-building tool,…

24 minutes ago

Lattica Emerges from Stealth to Solve AI’s Biggest Privacy Challenge with FHE

Lattica, an FHE-based platform enabling secure and private use of AI in the cloud, has…

43 minutes ago

FireEye EDR Vulnerability Allows Attackers to Execute Unauthorized Code

A critical vulnerability (CVE-2025-0618) in FireEye’s Endpoint Detection and Response (EDR) agent has been disclosed,…

50 minutes ago

New Malware Hijacks Docker Images Using Unique Obfuscation Technique

A recently uncovered malware campaign targeting Docker, one of the most frequently attacked services according…

2 hours ago

Critical Browser Wallet Vulnerabilities Enable Unauthorized Fund Transfers

Researchers have disclosed a series of alarming vulnerabilities in popular browser-based cryptocurrency wallets that could…

2 hours ago

APT34 Hackers Use Port 8080 for Fake 404 Responses and Shared SSH Keys

Researchers have uncovered early indicators of malicious infrastructure linked to APT34, also known as OilRig,…

3 hours ago