Remote Desktop Zero-Day Vulnerability

  • CERT Admin
  • Wed Jun 05 2019
  • Alerts

Systems Affected 

Latest Windows systems where remote desktop sessions use network level authentication

Threat Level



An attacker could hijack existing remote desktop service sessions in order to gain access to a computer.(CVE-2019-9510)


Advisory today from CERT|CC at the Carnegie Mellon University software engineering institute   warns that session locking can behave in an unexpected way on the latest Windows systems where remote desktop sessions use NLA.

Even if a user specifically locks a windows machine during a RDP session, if the session temporarily disconnected, automatic re-connection restores the session to an unlock state regardless of how remote desktop system was left.

Since the NLA is enabled, attacker requires physical access to such a targeted system (ex ‐ active sessions with the locked screen), this will limit the attack surface to a greater extend.


  ✦  A target user connects to a Windows 10 or Server 2019 via RDP
  ✦  User locks the remote session and leaves the client device unattended
  ✦  An attacker with the access to the client device can interrupt its network connectivity and gain access to the remote system without credentials
  ✦  Stealing sensitive and private information
  ✦  Store or install malicious software or programs

Solution/ Workarounds 

  ✻  Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.




The information provided herein is on "as is" basis, without warranty of any kind.

Last updated: Wed Jun 05 2019