CVE-2021-34535

Q: What is the severity of CVE-2021-34535?

CVE-2021-34535 has a CVSS score of 8.8 (HIGH). This vulnerability allows an attacker to execute arbitrary code on a victim's system by tricking them into connecting to a malicious RDP server. It affects Windows Remote Desktop Client users who connect to untrusted servers. The attacker could gain the same user rights as the logged-on user.

8.8 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows an attacker to execute arbitrary code on a victim's system by tricking them into connecting to a malicious RDP server. It affects Windows Remote Desktop Client users who connect to untrusted servers. The attacker could gain the same user rights as the logged-on user.

💻 Affected Systems

Products:

Windows Remote Desktop Client

Versions: Windows 10 versions 1809, 1909, 2004, 20H2, 21H1; Windows Server 2019, 2022

Operating Systems: Windows 10, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Remote Desktop Client application when connecting to RDP servers. Not related to Remote Desktop Services (RDS) hosting.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining SYSTEM privileges, installing malware, stealing credentials, and pivoting to other systems.

🟠

Likely Case

Attacker gains user-level access to execute code, steal data, and install ransomware or backdoors on the compromised system.

🟢

If Mitigated

Limited impact due to network segmentation, least privilege accounts, and proper patch management preventing exploitation.

🌐 Internet-Facing: MEDIUM - Requires user to initiate RDP connection to malicious server, but phishing or compromised legitimate servers could facilitate attacks.

🏢 Internal Only: HIGH - Internal users connecting to compromised or malicious internal servers could be exploited without external network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction to connect to malicious RDP server. No public exploit code available as of last analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2021 security updates (KB5004237, KB5004245, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34535

Restart Required: Yes

Instructions:

1. Apply July 2021 Windows security updates via Windows Update. 2. For enterprise: Deploy patches through WSUS or SCCM. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Disable RDP client connections

windows

Prevent use of Remote Desktop Client to connect to external servers

Group Policy: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > "Do not allow passwords to be saved" = Enabled
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword = 1

Network restriction

windows

Block outbound RDP connections to untrusted networks

Windows Firewall: New outbound rule blocking TCP port 3389 to external networks
netsh advfirewall firewall add rule name="Block External RDP" dir=out action=block protocol=TCP remoteport=3389

🧯 If You Can't Patch

Implement network segmentation to restrict RDP traffic to trusted servers only
Use application whitelisting to prevent execution of unauthorized code
Educate users about risks of connecting to unknown RDP servers
Monitor for unusual RDP client connections in network logs

🔍 How to Verify

Check if Vulnerable:

Check Windows version and if July 2021 security updates are installed via winver or systeminfo

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5004237 (Windows 10 2004/20H2/21H1) or KB5004245 (Windows 10 1909) is installed

📡 Detection & Monitoring

Log Indicators:

Windows Event ID 1149 (RDP client connection failures)
Unexpected RDP client connections to external IPs
Process creation from rdclient.exe with unusual parameters

Network Indicators:

Outbound RDP connections to unknown external IPs
RDP traffic to non-standard ports
Unusual volume of RDP client connections

SIEM Query:

source="Windows Security" EventID=4688 ProcessName="*rdclient*" | stats count by ProcessCommandLine

📊 Metadata

CVE ID: CVE-2021-34535

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Published: August 12, 2021

Last Updated: July 7, 2025

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34535 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34535 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Remote Desktop Client by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable RDP client connections

Network restriction

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export