Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Will Not Patch Security Bypass Flaw Abusing MSTSC

A DLL side-loading vulnerability related to the Microsoft Terminal Services Client (MSTSC) can be exploited to bypass security controls, but Microsoft says it will not be releasing a patch due to exploitation requiring elevated privileges.

A DLL side-loading vulnerability related to the Microsoft Terminal Services Client (MSTSC) can be exploited to bypass security controls, but Microsoft says it will not be releasing a patch due to exploitation requiring elevated privileges.

MSTSC is a piece of software designed to allow Windows users to connect to a remote computer via the Remote Desktop Protocol (RDP).

Researchers at Cymulate, a breach and attack simulation platform provider, discovered that the MSTSC application loads a DLL file, mstscax.dll, without verifying its integrity. This allows an attacker who can replace the legitimate DLL to bypass security controls such as AppLocker, which is designed to help users control which apps and files can be run.

An attack can be launched by replacing the mstscax.dll file in the Windows/System32 folder with a malicious file with the same name. However, this requires administrator privileges, which is why Microsoft has decided not to patch the flaw.

Microsoft has pointed to a document where the company explains how it decides what type of DLL hijacking vulnerabilities get patched.

However, Cymulate has also described a post-exploitation attack scenario where the attacker does not require administrative privileges. For example, an unprivileged attacker with read permissions to a system directory can copy mstsc.exe to an insecure folder and place a malicious mstscax.dll next to it. The attacker can then run mstsc.exe, which will result in the malicious DLL being loaded in the context of the remote desktop client, allowing it to bypass various security controls.

In an attack scenario described by Cymulate for SecurityWeek, an attacker has low privileges on the targeted device and wishes to spawn a malicious Meterpreter reverse shell.

“The attacker attempts to execute the malicious shell, and security controls block the attempt,” the company explained. “The attacker copies mstsc.exe to an insecure directory, and places the malicious shell in place of mstscax.dll, and executes mstsc.exe. Due to mstsc.exe being a system binary, digitally signed by Microsoft, it is considered a trusted process by security controls. Mstsc.exe loads the malicious shell. At this point, malicious code is running under the context of mstsc.exe, efficiently bypassing security controls.”

The attack has been tested on Windows 10 and the cybersecurity firm believes it likely also works on other versions of the operating system.

The company told SecurityWeek that, depending on the malicious code being executed, an attacker could potentially exploit the flaw to elevate privileges. For that they would need to convince a user to execute the mstsc.exe file from the attacker’s folder with elevated privileges.

Cymulate believes organizations should be aware of this vulnerability as the DLL side-loading technique has been leveraged by several threat actors to deploy their malware, including by sophisticated groups such as APT32, APT41 and APT3.

Related: Another Flaw in Dell SupportAssist Allows Code Execution With Elevated Privileges

Related: DLL Hijacking Flaw Impacts Symantec Endpoint Protection

Related: DLL Hijacking Vulnerability Found in Realtek HD Audio Driver

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet