CVE-2023-35352
📋 TL;DR
This vulnerability allows attackers to bypass security features in Windows Remote Desktop, potentially gaining unauthorized access to systems. It affects Windows systems with Remote Desktop enabled, particularly those exposed to untrusted networks. The vulnerability could allow attackers to circumvent authentication or other security controls.
💻 Affected Systems
- Windows Remote Desktop Services
- Windows Remote Desktop Protocol
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via unauthorized remote access, leading to data theft, ransomware deployment, or lateral movement within networks.
Likely Case
Unauthorized access to Remote Desktop sessions, potentially allowing privilege escalation or credential harvesting.
If Mitigated
Limited impact due to network segmentation, strong authentication requirements, and proper access controls.
🎯 Exploit Status
Exploitation likely requires some level of access or interaction with the Remote Desktop service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft's monthly security updates for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35352
Restart Required: Yes
Instructions:
1. Apply the latest Windows security updates from Microsoft. 2. Restart affected systems. 3. Verify the patch is installed via Windows Update history.
🔧 Temporary Workarounds
Disable Remote Desktop
windowsTemporarily disable Remote Desktop if not required
Disable via System Properties > Remote tab > uncheck 'Allow remote connections to this computer'
Network Restriction
windowsRestrict RDP access to specific IP ranges using firewall rules
New-NetFirewallRule -DisplayName 'Restrict RDP' -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress 192.168.1.0/24 -Action Allow
🧯 If You Can't Patch
- Implement Network Level Authentication (NLA) for all RDP connections
- Use VPN for Remote Desktop access instead of direct internet exposure
🔍 How to Verify
Check if Vulnerable:
Check Windows Update history for missing security patches related to CVE-2023-35352Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify the specific KB patch is installed via 'Get-Hotfix -Id KBxxxxxxx' or Windows Update history📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful RDP connections
- Unusual RDP connection patterns
Network Indicators:
- RDP traffic from unexpected sources
- Multiple RDP connection attempts
SIEM Query:
source="Security" EventCode=4625 LogonType=10 | stats count by src_ip