Back to board Open MSRC
MSRC compact vulnerability detail

CVE-2023-28290 · Microsoft Remote Desktop app for Windows Information Disclosure Vulnerability

No description was published by MSRC.

Severity
Important
Impact
Information Disclosure
CVSS
5.3 base · 4.6 temporal
Release
2023-05-09
Signals
Windows RDP Client Information Disclosure Exploited: No Publicly disclosed: No Exploitability: Exploitation Less Likely
CWE
No CWE data published.
Patch Diff
Loading module diff metadata...
Resolved binary override
Use this when the MSRC module name cannot be mapped automatically or the resolved binary looks wrong.
Old version New version
Description
No description was published by MSRC.
FAQ / Articles
FAQ-Exploit-Remote Desktop Client - Self Signed Certificate
How could an attacker exploit this vulnerability? When an Microsoft Remote Desktop app for Windows client connects to the server and the user saves the self-signed certificate, the serial number is used to compare the certificate for future use. An attacker could swap out a forged certificate with the same serial number resulting in a machine-in-the-middle (MITM) attack.
FAQ
What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could recover plaintext from TLS-protected data.
FAQ-Windows App How-to-Get
How do I get the update for a Windows App? The Microsoft Store will automatically update affected customers. It is possible for customers to disable automatic updates for the Microsoft Store. The Microsoft Store will not automatically install this update for those customers. You can get the update through the store by following this guide: Get updates for apps and games in Microsoft Store. Be sure to select the tab for the operating system installed on your device to search for updates.