Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Hackers Can Bypass Windows Lockscreen on Remote Desktop Sessions

The Network Level Authentication (NLA) feature of Windows Remote Desktop Services (RDS) can allow a hacker to bypass the lockscreen on remote sessions, and there is no patch from Microsoft, the CERT Coordination Center at Carnegie Mellon University warned on Tuesday.

The Network Level Authentication (NLA) feature of Windows Remote Desktop Services (RDS) can allow a hacker to bypass the lockscreen on remote sessions, and there is no patch from Microsoft, the CERT Coordination Center at Carnegie Mellon University warned on Tuesday.

NLA provides better protection for Remote Desktop (RD) sessions by requiring the user to authenticate to the RD Session Host server before a session is created. Microsoft recently recommended NLA as a workaround for a critical RDS vulnerability tracked as BlueKeep and CVE-2019-0708.

When a user connects to a remote system over RDS, they can lock the session similar to how sessions can be locked locally in Windows. If the session is locked, the user is presented with a lockscreen where they have to authenticate in order to continue using the session.

Joe Tammariello of the Software Engineering Institute at Carnegie Mellon University discovered a vulnerability that can be exploited to bypass the lockscreen on an RDS session. The flaw, tracked as CVE-2019-9510 and assigned a CVSS score of 4.6 (medium severity), affects versions of Windows starting with Windows 10 1803 and Server 2019.

“If a network anomaly triggers a temporary RDP disconnect, upon automatic reconnection the RDP session will be restored to an unlocked state, regardless of how the remote system was left,” CERT/CC explained in an advisory.

The organization has described the following attack scenario: the targeted user connects to a Windows 10 or Server 2019 system via RDS, they lock the remote session, and leave the client device unattended. At this point, an attacker who has access to the client device can interrupt its network connectivity, and they can then gain access to the remote system without needing any credentials.

“Two-factor authentication systems that integrate with the Windows login screen, such as Duo Security MFA, are also bypassed using this mechanism. Any login banners enforced by an organization will also be bypassed,” CERT/CC said.

Tammariello reported his findings to Microsoft, but the tech giant apparently does not plan on patching the vulnerability too soon.

“After investigating this scenario, we have determined that this behavior does not meet the Microsoft Security Servicing Criteria for Windows,” Microsoft said, according to CERT/CC vulnerability analyst Will Dormann.

Users can protect themselves against potential attacks via two methods: locking the local system instead of the remote system, and disconnecting the RDS session instead of locking it.

Related: One Million Devices Vulnerable to BlueKeep as Hackers Scan for Targets

Related: Researcher Drops 3 Separate 0-Day Windows Exploits in 24 Hours

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.