Security Experts:

Connect with us

Hi, what are you looking for?



Details of Twice-Patched Windows RDP Vulnerability Disclosed

Researchers at identity security firm CyberArk this week shared technical information on an RDP named pipe vulnerability in Windows for which Microsoft had to release two rounds of patches.

Researchers at identity security firm CyberArk this week shared technical information on an RDP named pipe vulnerability in Windows for which Microsoft had to release two rounds of patches.

Tracked as CVE-2022-21893, the issue was initially addressed on January 2022 Patch Tuesday, but an analysis of the fix revealed that a new attack vector had not been patched. On April 2022 Patch Tuesday, Microsoft resolved the bug as CVE-2022-24533.

CVE-2022-21893, CyberArk explains, is a Windows Remote Desktop Services vulnerability that could allow an unprivileged user who accesses a machine via RDP to access the file system of client machines of other connected users.

The issue would also allow the attacker to view and modify the data of other connected users, including clipboard contents, transferred files, and smart card PINs. An attacker could also impersonate other users logged on to the machine, and gain access to a victim’s redirected devices, including USB devices, hard drives, and more.

“This could lead to data privacy issues, lateral movement and privilege escalation,” CyberArk notes.

According to the researchers, the vulnerability exists because named pipe permissions are improperly handled in Remote Desktop Services, thus allowing a user with normal privileges to “take over RDP virtual channels in other connected sessions.”

“The named pipe was created in such a way that it allowed every user on the system to create additional named pipe server instances with the same name,” CyberArk explains.

The initial patch changed the pipe permissions, thus preventing standard users from creating named pipe servers. However, it did not address the risk associated with the creation of the first pipe server, when the user can set permissions for subsequent instances.

“In case multiple pipe instances are created with the same name, the security descriptor passed to the first call to CreateNamedPipe() will be used for all the instances. In subsequent calls, a different security descriptor can be passed, but it will be ignored. So, in case an attacker creates the first pipe instance, they can control the permissions for other instances,” CyberArk notes.

Following the April 2022 patch, a new GUID is generated for new pipes – thus preventing attackers from predicting the next pipe name – and the pipe server is created with the new unique name. Furthermore, Microsoft introduced an additional control to check the current process ID against the named pipe server process ID.

“This is an additional control guaranteeing that even if an attacker could somehow predict the GUID, the attack will not work since they will have a different process ID. In this case, the same process creates the pipe server and client (the pipe client handle is later returned to the calling process), so it is easy to perform this check. With these changes, the risks of this vulnerability have been adequately addressed,” CyberArk notes.

Related: Windows Updates Patch Actively Exploited ‘Follina’ Vulnerability

Related: Patch Tuesday: Microsoft Warns of New Zero-Day Being Exploited

Related: Windows Print Spooler Vulnerabilities Increasingly Exploited in Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.