Back to board Open MSRC
MSRC compact vulnerability detail

CVE-2024-49105 · Remote Desktop Client Remote Code Execution Vulnerability

No description was published by MSRC.

Severity
Critical
Impact
Remote Code Execution
CVSS
8.4 base · 7.3 temporal
Release
2024-12-10
Signals
Remote Desktop Client Remote Code Execution Exploited: No Publicly disclosed: No Exploitability: Exploitation Less Likely
CWE
CWE-284: Improper Access Control
Patch Diff
Loading module diff metadata...
Resolved binary override
Use this when the MSRC module name cannot be mapped automatically or the resolved binary looks wrong.
Old version New version
Description
No description was published by MSRC.
FAQ / Articles
FAQ
How could an attacker exploit this vulnerability? An authenticated attacker could exploit the vulnerability by triggering remote code execution (RCE) on the server via a Remote Desktop connection. Alternatively, an authenticated attacker could trigger guest-to-host RCE via a malicious program by connecting to the host using MMC.
FAQ
According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? This vulnerability could lead to a browser sandbox escape.
FAQ
According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires an admin user on the client to connect to a malicious server, and that could allow the attacker to gain code execution on the client.