Site icon API Security Blog

Microsoft Remote Desktop App Information Disclosure (May 2023)

The Microsoft Remote Desktop Windows Store App installed on the remote host is prior to 10.2.3006.0. It is, therefore, affected by an information disclosure vulnerability. When an Microsoft Remote Desktop app for Windows client connects to the server and the user saves the self-signed certificate, the serial number is used to compare the certificate for future use. An attacker could swap out a forged certificate with the same serial number resulting in a Man-In-The-Middle (MiTM) attack.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.Read More

Exit mobile version