Sign In with your
Trend Micro Account

若您需要技術支援,請 按此建立案件。

SECURITY ALERT: Remote Code Execution (RCE) Vulnerability in Microsoft Windows Remote Desktop Services (CVE-2019-0708)

    • 更新於:
    • 19 Jul 2021
    • 產品/版本:
    • Deep Security 11.0, Vulnerability Protection 2.0
    • 作業系統:

Update: May 28, 2019 @ 15:30 UTC - Comprehensive ZDI Analysis Blog added


On May 14, 2019, Microsoft released its monthly “Patch Tuesday” set of security updates for the various supported versions of the Microsoft Windows operating system. 


One notable bug that was addressed is a Remote Code Execution (RCE) vulnerability in Windows’ Remote Desktop Services (CVE-2019-0708), that if exploited could allow an unauthenticated attacker to connect via RDP and execute arbitrary code on the remote server – without any user interaction. This makes it a "wormable" vulnerability, meaning an exploit could potentially spread very quickly.  


It appears that the vulnerability has been found in older versions of the service, as Windows 8 and 10 are not said to be vulnerable; however Windows 7 and Windows 2008 R2 (still very widely used) are. 


A comprehensive blog by the Zero Day Initiative (ZDI) has a very detailed analysis of the vulnerability:



Please note: this is not a Trend Micro-specific vulnerability.


Mitigation and Protection


The first line of protection against any vulnerability is to ensure the affected systems are patched with Microsoft's latest security update.  This continues to be the primary recommendation for protection against any exploit that may arise from this vulnerability. Due to the sheer volume of systems that utilize Remote Desktop Services and threat potential of a fast spreading exploit, it is imperative that organizations and individual apply the patches from Microsoft as soon as possible.


Microsoft has also issued out-of-band patches and guidance for some versions of Windows that have already reached EOL (such as Windows XP and Server 2003) because of the seriousness of this issue. More information can be found at: for these.


Microsoft also mentions a partial mitigation on affected systems may be to have Network Level Authentication (NLA) enabled for the non-authenticated user part of an attack. However, affected systems would still be vulnerable if an attacker has valid credentials that can be used to successfully authenticate.


Please visit Microsoft's MSRC Blog for more information at



Trend Micro Detection and Protection


Trend Micro has developed some rules/filters based on our our own analysis of a potential exploit for additional protection. Please note however, in the absence of a true in-the-wild exploit, the effectiveness of a rule or filter of this nature may vary and should not be considered the sole source of protection. Customers are highly encouraged to apply the Microsoft patches where possible, and/or apply the other recommended mitigation strategies recommended such as enabling NLA and disabling non-critical RDP services and connections. More general RDP strategies can also be found in Trend Micro's InfoSec Guide: Remote Desktop Protocol at


Trend Micro will continue to to monitor for signs of active exploitation and will continue to to provide additional updates and rules if/when necessary.


Deep Security, Vulnerability Protection and Apex One Vulnerability Protection (iVP)

·        Rule 1009749 - Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (CVE-2019-0708)



·        Filter 35285: RDP: Windows Remote Desktop Services Remote Code Execution Vulnerability


In addition, Trend Micro does provide the following generic detection and protection for Deep Security, Vulnerability Protection, Apex One Vulnerability Protection (iVP) and TippingPoint targeted towards general RDP-based threats.


Deep Security and Vulnerability Protection

RDP Traffic:

·        Rule 1002508 – RDP (monitor RDP traffic)


Brute Force Detection:

·        Rule 1009448 - Microsoft Windows Remote Desktop Protocol (RDP) Brute Force Attempt


Terminal Services Detection:

·        Rule 1009549 - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1015,T1043,T1076)

·        Rule 1001164 - Detected Terminal Services (RDP) Server Traffic


In additional the following rules are available in Deep Security (only)

Brute Force Detection:

·        Rule 1003716 - Identified Too Many Remote Desktop Protocol (RDP) Connection Request


Log Inspection:

·        Rule 1002795 - Microsoft Windows Events - "Multiple Windows Logon Failures"

·        Rule 1002795 - Microsoft Windows Events - "Windows Logon Failure”

·        Rule 1004057 - Microsoft Windows Security Events - 1 "Logon attempted using explicit credentials"


Apex One Vulnerability Protection (iVP)

·        Rule 1009448 - Microsoft Windows Remote Desktop Protocol (RDP) Brute Force Attempt



·        Filter 5683 RDP: Windows Remote Desktop Access on Non-Standard Ports

·        Filter 5873 RDP: Windows Remote Desktop Access

·        Filter 6197 RDP: Windows Remote Desktop Access on Non-Standard Ports (HTTP)

·        Filter 10957 RDP: Windows Remote Desktop Brute Force Attempt by NCrack

·        Filter 12134 RDP: Remote Desktop Denial of Service Attack

·        Filter 22166 RDP: Windows Remote Desktop Access Over UDP

·        Filter 22167 RDP: Windows Remote Desktop Access Over UDP on Non-Standard Ports


Trend Micro will continue to closely monitor this issue and will provide updates on specific vulnerability detection guidance or any known threat or exploit information that may arise.




·  ZDI Blog:      

· Microsoft Security Bulletin:

· Microsoft Customer Guidance for EOL Products:

· Microsoft MSRC Blog:

·  Trend Micro InfoSec Guide: Remote Desktop Protocol (RDP) -


Troubleshoot; Remove a Malware / Virus



若您需要協助,請聯繫對應的技術支援窗口. 聯絡我們

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.