CVE-2023-36790
📋 TL;DR
This vulnerability in Windows Remote Desktop Protocol (RDP) Encoder Mirror Driver allows authenticated attackers to execute arbitrary code with SYSTEM privileges. It affects Windows systems with RDP enabled, primarily servers and workstations used for remote access. Attackers need valid credentials to exploit this privilege escalation flaw.
💻 Affected Systems
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, enabling complete control over the affected system, data theft, lateral movement, and persistence establishment.
Likely Case
Privilege escalation from standard user to SYSTEM, allowing installation of malware, disabling security controls, and accessing sensitive system resources.
If Mitigated
Limited impact due to proper credential management, network segmentation, and RDP restrictions preventing unauthorized access.
🎯 Exploit Status
Requires authenticated access to the target system. No public exploit code available as of knowledge cutoff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: October 2023 security updates (KB5031356 for Windows 10, KB5031354 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36790
Restart Required: Yes
Instructions:
1. Apply October 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable RDP if not required
windowsTurn off Remote Desktop Protocol to eliminate the attack vector
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
Restrict RDP access via firewall
windowsLimit RDP connections to trusted IP addresses only
netsh advfirewall firewall add rule name="Restrict RDP" dir=in action=allow protocol=TCP localport=3389 remoteip=192.168.1.0/24,10.0.0.0/8
🧯 If You Can't Patch
- Implement strict credential management and multi-factor authentication for RDP access
- Segment RDP-enabled systems from critical assets and monitor RDP connections closely
🔍 How to Verify
Check if Vulnerable:
Check if October 2023 security updates are installed via 'wmic qfe list' or 'systeminfo' commandCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify KB5031356 (Windows 10) or KB5031354 (Windows 11) is installed and system has been restarted📡 Detection & Monitoring
Log Indicators:
- Event ID 4624 (logon type 10 for RDP) followed by privilege escalation attempts
- Unexpected SYSTEM privilege usage by non-admin users
Network Indicators:
- RDP connections from unusual IP addresses or outside business hours
- Multiple failed RDP authentication attempts
SIEM Query:
source="windows_security" event_id=4624 logon_type=10 | stats count by src_ip, user