Remote Desktop Protocol Remote Code Execution Vulnerability – CVE-2022-21893


Microsoft patched 97 CVEs in the January 2022 Patch Tuesday release, including nine rated as critical and 88 rated as important. Today here we are going to see the recent vulnerability on RDP which will affect the remote connections, which got patched recently. Microsoft Windows Server 2012 R2 is affected by a vulnerability in the Remote Desktop Services protocol that gives attackers to connect to a remote system via RDP which paves a way to gain file system access on the machines of other connected users.


CVE: CVE-2022-21893

Name: Remote Desktop Protocol Remote Code Execution Vulnerability

Affected resource: Microsoft Windows Server 2012 R2

The vulnerability was patched this week in Microsoft’s set of security updates for January 2022.

Where Microsoft RDP is used?

In organizations, mostly IT help desks and support services use RDP for a variety of purposes. Users can access and control windows systems from remote clients even if they are working locally with help of Microsoft RDP.

How the information is viewed via RDP:

  • A single RDP connection can be divided into several virtual channels.
  • A Windows service called “named pipes” is used to transfer data from these channels to other processes.
  • On a Windows machine, named pipes are a way for two processes to communicate with each other. Named pipes are used by Windows Remote Desktop Services to transfer data between the client and remote system, such as data in clipboards and smart-card authentication data.
  • This vulnerability lets user to create a named pipe server instance in such a manner that certain data traveling between the remote and client system essentially flows through their maliciously created pipes.
  • Attacker can make use of this vulnerability to perform man-in-the-middle attack to intercept data such as that in clipboards of the client devices connected to the remote system, or smart-card PINs that a user might enter for authenticating to the client device.
  • After successfully exploiting the flaw, attackers will be able to access and modify information on the clipboard, as well as spoof the identities of various users logged into the machine in order to escalate privileges.


  • Any unprivileged user connected to a remote machine via RDS might take advantage of the flaw to intercept, access, and modify data from other users’ sessions on the same remote machine.
  • This could be leveraged for getting access to the file systems of other users’ client machines and using other users’ smart cards and PIN numbers to authenticate, effectively impersonating the victim’s identity. This, in turn, may result in privilege escalation.

Initial foothold via RDP:

  • RDP is used to gain initial foothold for most of the attacks. In order to hack into a network, threat actors only needed to look for machines that have RDP services exposed to the Internet. Over the years, initial access brokers have compiled a vast list of servers with exposed RDP services that they have made available for a fee to ransomware operators and other threat organizations.
  • BlueKeep (CVE-2019-0708), a severe remote code execution vulnerability in RDP uncovered by researchers in 2019, is one example. Multiple legacy versions of Windows, including Windows XP, Windows 7, and Windows Server 2008, were affected by the bug. Another example is Check Point’s disclosure of a so-called reverse RDP issue (CVE-2019-0887) at Black Hat USA 2019.

Few examples to enter into the system:

  • Multiple client devices may be connected to a remote system. Users connect to a jump box to gain access to an internal network.
  • Another example would be a session-based desktop environment, in which multiple users connect to the same machine and run applications.
  • Using simple social engineering techniques to persuade high-privilege users to log in to a system that the attacker already has access to, such as another server or a personal workstation.

The updates included patches for the below:

  • .NET Framework
  • Microsoft Dynamics
  • Microsoft Edge (Chromium-based)
  • Microsoft Exchange Server
  • Microsoft Graphics Component
  • Microsoft Office
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft Office Word
  • Microsoft Teams
  • Microsoft Windows Codecs Library
  • Open Source Software
  • Windows Hyper-V
  • Tablet Windows User Interface
  • Windows Account Control
  • Windows Active Directory
  • Windows AppContracts API Server
  • Windows Application Model
  • Windows BackupKey Remote Protocol
  • Windows Bind Filter Driver
  • Windows Certificates
  • Windows Cleanup Manager
  • Windows Clipboard User Service
  • Windows Cluster Port Driver
  • Windows Common Log File System Driver
  • Windows Connected Devices Platform Service
  • Windows Cryptographic Services
  • Windows Defender
  • Windows Devices Human Interface
  • Windows Diagnostic Hub
  • Windows DirectX
  • Windows DWM Core Library
  • Windows Event Tracing
  • Windows Geolocation Service
  • Windows HTTP Protocol Stack
  • Windows IKE Extension
  • Windows Installer    
  • Windows Kerberos
  • Windows Kernel
  • Windows Libarchive
  • Windows Local Security Authority
  • Windows Local Security Authority Subsystem Service
  • Windows Modern Execution Server
  • Windows Push Notifications
  • Windows RDP
  • Windows Remote Access Connection Manager
  • Windows Remote Desktop
  • Windows Remote Procedure Call Runtime
  • Windows Resilient File System (ReFS)
  • Windows Secure Boot
  • Windows Security Center
  • Windows StateRepository API
  • Windows Storage
  • Windows Storage Spaces Controller
  • Windows System Launcher
  • Windows Task Flow Data Engine
  • Windows Tile Data Repository
  • Windows UEFI
  • Windows UI Immersive Server
  • Windows User Profile Service
  • Windows User-mode Driver Framework
  • Windows Virtual Machine IDE Drive
  • Windows Win32K
  • Windows Workstation Service Remote Protocol

Microsoft security update page

Happy Patching

Previous articleWhispergate Malware – Destructive Malware Targeting Ukrainian Organizations
Next articleWhat is a WAF? | Web Application Firewall Explained
Anusthika Jeyashankar
Ambitious Blue Teamer; Enthused Security Analyst


Please enter your comment!
Please enter your name here