CVE-2021-38665

Q: What is the severity of CVE-2021-38665?

CVE-2021-38665 has a CVSS score of 7.4 (HIGH). CVE-2021-38665 is a Remote Desktop Protocol (RDP) client information disclosure vulnerability that allows an attacker to read memory contents from the RDP client. This affects Windows systems running vulnerable RDP clients when connecting to a malicious RDP server. The vulnerability could expose sensitive information like credentials or other data in memory.

7.4 HIGH

📋 TL;DR

CVE-2021-38665 is a Remote Desktop Protocol (RDP) client information disclosure vulnerability that allows an attacker to read memory contents from the RDP client. This affects Windows systems running vulnerable RDP clients when connecting to a malicious RDP server. The vulnerability could expose sensitive information like credentials or other data in memory.

💻 Affected Systems

Products:

Windows Remote Desktop Client

Versions: Windows 10 versions 2004, 20H2, 21H1; Windows 11; Windows Server 2022; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects RDP client when connecting to malicious RDP servers. Server-side RDP is not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker controlling a malicious RDP server could extract sensitive information from client memory, potentially including authentication credentials, session tokens, or other confidential data.

🟠

Likely Case

Information disclosure of memory contents from RDP client sessions, potentially exposing system information or partial credential data.

🟢

If Mitigated

Limited or no information disclosure if proper network segmentation and RDP security controls are implemented.

🌐 Internet-Facing: MEDIUM - Requires user to connect to malicious RDP server, but RDP clients often connect to various servers.

🏢 Internal Only: MEDIUM - Internal malicious servers could exploit this, but requires user interaction to connect.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user to connect to attacker-controlled RDP server. No authentication bypass needed but requires user interaction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2021 security updates (KB5006670 for Windows 10 2004, 20H2, 21H1; KB5006669 for Windows 11; etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38665

Restart Required: Yes

Instructions:

1. Apply October 2021 Windows security updates via Windows Update. 2. For enterprise environments, deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Restrict RDP connections

windows

Configure RDP client to only connect to trusted RDP servers using Group Policy or local settings.

Enable Network Level Authentication

windows

Require NLA for all RDP connections to prevent connection to untrusted servers.

🧯 If You Can't Patch

Implement strict network segmentation to control which RDP servers users can connect to.
Use application allowlisting to restrict which RDP clients can be used and enforce connection policies.

🔍 How to Verify

Check if Vulnerable:

Check Windows version and compare with affected versions list. Systems without October 2021 security updates are vulnerable.

Check Version:

winver

Verify Fix Applied:

Verify October 2021 security updates are installed via 'winver' command or Windows Update history.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing RDP connections to unknown/untrusted servers
Unexpected RDP client memory access patterns

Network Indicators:

RDP connections to suspicious or unknown IP addresses
Unusual RDP traffic patterns from clients

SIEM Query:

EventID=4624 AND LogonType=10 AND TargetUserName NOT IN (trusted_users) | stats count by SourceNetworkAddress

📊 Metadata

CVE ID: CVE-2021-38665

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Published: November 10, 2021

Last Updated: July 7, 2025

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38665 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38665 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Remote Desktop Client by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 11 by Microsoft

Windows 11 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict RDP connections

Enable Network Level Authentication

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export