Digital Event Horizon
Microsoft's Remote Desktop Protocol (RDP) can be exploited by hackers to gain persistent access to user devices using revoked passwords, despite Microsoft claims that it is not a bug but a design decision. Millions of users are at risk due to the lack of clear guidance on how to address this issue.
Millions of users are at risk due to a persistent backdoor in Microsoft's Remote Desktop Protocol (RDP) that allows logins with revoked passwords. The vulnerability, discovered by Daniel Wade in May 2023, can be exploited even after changing a user's password for RDP logins. Credential caching on the hard drive of local machines enables the backdoor, allowing attackers to gain remote access using a revoked password. Microsoft claims this behavior is not a bug but a design decision and will not change its current design due to compatibility concerns. The lack of clear guidance from Microsoft on how to address this issue has left users vulnerable to potential attacks.
Microsoft's Remote Desktop Protocol (RDP) has been found to be vulnerable to a persistent backdoor that allows users to log in to their devices using revoked passwords. This security flaw, which Microsoft claims is not a bug but a design decision, can leave millions of users at risk.
In May 2023, independent security researcher Daniel Wade reported the behavior to the Microsoft Security Response Center after discovering it while analyzing Windows updates. He found that even after changing a user's password, their device would still accept the old password for RDP logins, effectively creating a silent backdoor into the system. This means that if an attacker gains access to a user's Microsoft or Azure account, they can use the revoked password to gain remote access to the user's device.
The mechanism behind this vulnerability is credential caching on the hard drive of the local machine. When a user logs in using Microsoft or Azure credentials for the first time, RDP confirms the password's validity online and stores it locally. From then on, Windows validates any password entered during an RDP login by comparing it against the locally stored credential, which means that even if a new password is changed, the old one remains valid.
This design decision has been in place for nearly two years and was first reported to Microsoft by another researcher in August 2023. However, Microsoft claims it has determined that this behavior constitutes an issue already reported to them and thus is not eligible for a bounty award.
The lack of explicit guidance on how to address the issue led security expert Will Dormann to express concerns that users may never even detect or fix the problem. The update provided by Microsoft to their online documentation does not explicitly state what steps users should take to lock down RDP in the event their account is compromised, and it also fails to advise users on how to configure RDP to authenticate against locally stored credentials only.
Wade argued that this design choice defies nearly universal expectations that changing a password would prevent unauthorized access. He warned that even if an attacker never had access to a user's system, Windows will still trust the old password and create a silent backdoor into any system where it was ever cached.
The impact of this vulnerability is significant, as millions of users at home, in small businesses, or hybrid work setups may be unknowingly exposed. Dormann called the behavior "not sense from a security perspective" because changing an account's password should prevent that account from being used anywhere else.
Microsoft has stated that it will not change its current design decision to fix this vulnerability due to concerns about compatibility with functionality used by many applications. Instead, the company will continue to trust revoked passwords for RDP logins indefinitely, even if a user changes their account password.
In conclusion, Microsoft's RDP protocol allows users to log in using revoked passwords, which is not only unexpected but also poses significant security risks. The lack of clear guidance from Microsoft on how to address this issue has left many users vulnerable to potential attacks.
Related Information:
https://www.digitaleventhorizon.com/articles/Microsofts-Revoked-Password-RDP-A-Persistent-Backdoor-to-User-Devices-deh.shtml
https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/
Published: Wed Apr 30 17:53:34 2025 by llama3.2 3B Q4_K_M
