Security Experts:

Connect with us

Hi, what are you looking for?



Details of Twice-Patched Windows RDP Vulnerability Disclosed

Researchers at identity security firm CyberArk this week shared technical information on an RDP named pipe vulnerability in Windows for which Microsoft had to release two rounds of patches.

Researchers at identity security firm CyberArk this week shared technical information on an RDP named pipe vulnerability in Windows for which Microsoft had to release two rounds of patches.

Tracked as CVE-2022-21893, the issue was initially addressed on January 2022 Patch Tuesday, but an analysis of the fix revealed that a new attack vector had not been patched. On April 2022 Patch Tuesday, Microsoft resolved the bug as CVE-2022-24533.

CVE-2022-21893, CyberArk explains, is a Windows Remote Desktop Services vulnerability that could allow an unprivileged user who accesses a machine via RDP to access the file system of client machines of other connected users.

The issue would also allow the attacker to view and modify the data of other connected users, including clipboard contents, transferred files, and smart card PINs. An attacker could also impersonate other users logged on to the machine, and gain access to a victim’s redirected devices, including USB devices, hard drives, and more.

“This could lead to data privacy issues, lateral movement and privilege escalation,” CyberArk notes.

According to the researchers, the vulnerability exists because named pipe permissions are improperly handled in Remote Desktop Services, thus allowing a user with normal privileges to “take over RDP virtual channels in other connected sessions.”

“The named pipe was created in such a way that it allowed every user on the system to create additional named pipe server instances with the same name,” CyberArk explains.

The initial patch changed the pipe permissions, thus preventing standard users from creating named pipe servers. However, it did not address the risk associated with the creation of the first pipe server, when the user can set permissions for subsequent instances.

“In case multiple pipe instances are created with the same name, the security descriptor passed to the first call to CreateNamedPipe() will be used for all the instances. In subsequent calls, a different security descriptor can be passed, but it will be ignored. So, in case an attacker creates the first pipe instance, they can control the permissions for other instances,” CyberArk notes.

Following the April 2022 patch, a new GUID is generated for new pipes – thus preventing attackers from predicting the next pipe name – and the pipe server is created with the new unique name. Furthermore, Microsoft introduced an additional control to check the current process ID against the named pipe server process ID.

“This is an additional control guaranteeing that even if an attacker could somehow predict the GUID, the attack will not work since they will have a different process ID. In this case, the same process creates the pipe server and client (the pipe client handle is later returned to the calling process), so it is easy to perform this check. With these changes, the risks of this vulnerability have been adequately addressed,” CyberArk notes.

Related: Windows Updates Patch Actively Exploited ‘Follina’ Vulnerability

Related: Patch Tuesday: Microsoft Warns of New Zero-Day Being Exploited

Related: Windows Print Spooler Vulnerabilities Increasingly Exploited in Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet