tenable:18405 · Remote Desktop Protocol Server Man-in-the-Middle Weakness

01 · The Real Story

This is a spare master key hidden in the wall, but the thief still has to already be inside your hallway

This finding maps to CVE-2005-1794: older Microsoft RDP/Terminal Services behavior used a publicly known hard-coded RSA private key to sign the server side of the handshake, which lets an attacker spoof a legitimate RDP server during a man-in-the-middle attack. The original affected stack was Microsoft Terminal Server using RDP 5.2 and Remote Desktop Connection 5.1.2600.2180; in practice, Tenable still uses this plugin as a configuration-risk check for hosts that allow classic RDP security instead of enforcing TLS (SecurityLayer=2) or NLA.

Tenable's MEDIUM label is fair in a vacuum, but for a modern enterprise this is overstated operationally. The decisive friction is attacker position: this is not internet-to-shell or unauthenticated RCE, it is an on-path interception problem that usually assumes the adversary already owns a LAN segment, VPN edge, Wi-Fi, branch router, or other transit point; that sharply cuts the exposed population and pushes the real-world priority down to LOW.

"Real issue, but it needs an on-path attacker and legacy RDP security choices—bad hygiene, not a fire drill"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get on the RDP traffic path with bettercap or a rogue gateway

The attacker first needs to become a transparent middlebox between client and server. In practice that means ARP spoofing on a shared subnet, owning a branch firewall, abusing a Wi-Fi position, or controlling an upstream network device. Without this position, the bug is irrelevant because there is nothing to intercept.

Conditions required:

Attacker has internal network adjacency or control of a transit device
RDP traffic traverses a segment the attacker can observe and modify
Target users actually initiate RDP sessions

Where this breaks in practice:

Requires post-initial-access or physical/network proximity in most enterprises
Modern NAC, switch protections, VPNs, and segmented admin networks reduce reachability
If RDP is only available through RD Gateway or tunneled access, this step gets harder fast

Detection/coverage: Look for ARP spoofing, duplicate MAC moves, unexpected L2 churn, or firewall/NDR evidence of a host proxying TCP/3389 flows it should not own. Nessus cannot see this step; this is network telemetry territory.

STEP 02

Confirm weak RDP security with CVE-2005-1794Scanner or Nessus 18405

The attacker validates that the server still accepts classic RDP security instead of enforced TLS or NLA. Public tooling such as InitRoot/CVE-2005-1794Scanner and commercial scanners like Nessus 18405 do exactly this kind of posture check. If the host enforces TLS or requires NLA, the classic spoofing path largely dies here.

Conditions required:

RDP listener is enabled and reachable
Server does not enforce SecurityLayer=2 or NLA

Where this breaks in practice:

Many modern Windows baselines already require NLA
Admins often place RDP behind jump hosts, VPN, or Gateway instead of exposing raw listeners
This is a configuration-dependent subset, not every Windows host with port 3389 open

Detection/coverage: Excellent scanner coverage for the posture problem; weak runtime detection of hostile validation probes unless you log unusual 3389 handshakes. Remote checks can overstate exposure when RD Gateway or compensating controls sit in front.

STEP 03

Spoof the server handshake using the published key from the Montoro/oXid.it advisory

With an on-path position and a weak listener, the attacker can impersonate the RDP server during setup and establish encrypted sessions to both ends while remaining in the middle. The original RDP: The Good, the Bad and the Ugly advisory described the hard-coded signing key issue; practical proxies can be built with modified RDP tooling such as FreeRDP, xrdp, or custom PoC code.

Conditions required:

Classic RDP security is still allowed
Client trusts the handshake because server identity is not properly validated
Attacker can sustain bidirectional interception without breaking the session

Where this breaks in practice:

TLS with a trusted certificate or NLA breaks the invisible spoofing advantage
User-facing certificate warnings can reveal sloppy attacker setups
Some modern clients and paths negotiate stronger protections by default

Detection/coverage: Limited host-side visibility; success often looks like a normal RDP session. Hunt for mismatched source/destination paths, unusual certificate warnings reported by users, or parallel 3389 sessions originating from an unexpected intermediary.

STEP 04

Harvest credentials or session data and reuse them with mstsc, xfreerdp, or WinRM

The payoff is not instant code execution; it is credential theft, keystroke capture, and session interception. In an admin workflow, that can still be serious because the stolen account may be privileged and reusable elsewhere. The blast radius therefore depends more on who uses the RDP path than on the protocol bug alone.

Conditions required:

Victim authenticates through the intercepted session
Captured credentials are valid and useful beyond the single host

Where this breaks in practice:

MFA around VPN or Gateway can reduce reuse value
Tiered admin accounts and PAWs constrain the downstream blast radius
Credential Guard / Remote Credential Guard can limit what the session leaks

Detection/coverage: EDR may catch the follow-on misuse, not the interception itself. Watch for odd lateral movement after RDP admin sessions, impossible travel between source IPs, or privileged logons from hosts that are not approved jump boxes.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No authoritative evidence found that CVE-2005-1794 is in CISA KEV or under named active exploitation campaigns. This matters: absent exploitation intel, you should treat it as a hardening/configuration weakness, not an outbreak driver.
Proof-of-concept availability	Yes. The original Massimiliano Montoro / oXid.it advisory documented the technique, and public repos such as `InitRoot/CVE-2005-1794Scanner` and `Ressurect0/fluffyLogic` reference usable detection logic.
EPSS	Primary-source EPSS is available from FIRST via API, but the exact live score for this CVE was not directly retrievable in-browser during review. Third-party aggregators currently show it around 0.11459 (~11%), which is elevated for such an old issue but still not a substitute for the very real attacker-position friction.
KEV status	Not listed in the current CISA KEV mirror reviewed; there is no `dateAdded` for this CVE.
CVSS posture	Tenable scores it 6.5 / MEDIUM with `CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N`; NVD/CISA enrichment describe the weakness more harshly because they model confidentiality/integrity impact in isolation. That is exactly where enterprise reassessment helps: the abstract impact is real, but the reachability is narrow.
Affected versions	Original references point to RDP 5.2 Terminal Services and Remote Desktop Connection 5.1.2600.2180. Operationally, scanners still surface it when a host allows classic RDP security rather than enforced TLS or NLA.
Fixed / safe state	There is no clean modern product-version string in the reviewed vendor docs for this finding. The practical safe state is force TLS with `SecurityLayer=2`, bind a proper Server Authentication certificate, or require NLA; Microsoft documentation treats those as the security improvements that prevent the classic MiTM scenario.
Scanning and exposure reality	There is no useful internet telemetry source that fingerprints this CVE specifically; Shodan/Censys-style counts for `3389` are not the same thing as counts for this weakness. Validate with on-host config and scanner output instead of guessing from banner exposure alone.
Disclosure	Publicly disclosed on 2005-05-28 in the Montoro/oXid.it paper; Tenable published plugin 18405 on 2005-06-01.
Researcher / reporting org	Massimiliano Montoro of oXid.it is the researcher most consistently credited across references.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.7/10)

The single biggest downgrade factor is attacker position: this weakness needs an adversary who is already on-path for RDP traffic, which usually implies prior compromise or privileged network placement. That makes it a real credential-theft risk for badly designed admin paths, but not a broad internet-scale patch emergency.

HIGH Technical mechanics of the vulnerability and mitigations

MEDIUM How often this posture still exists in modern enterprise RDP deployments

Why this verdict

Downshift 1 — requires privileged network position: unauthenticated-from-anywhere this is not. The attacker must already control a LAN/VPN/Wi-Fi/transit point or equivalent middlebox position.
Downshift 2 — exposed population is narrowed by modern baselines: if you already require NLA, force TLS, or front RDP with RD Gateway/VPN, the classic invisible spoofing path collapses.
Downshift 3 — impact is stolen trust, not instant shell: the outcome is credential/session interception and possible follow-on lateral movement, which is serious but operationally slower and narrower than one-packet RCE.

Why not higher?

It is not higher because the vulnerability chain starts with a prior access assumption: the adversary has to be on the traffic path. That prerequisite alone removes the huge exposed population you would need for a MEDIUM-to-HIGH fleet emergency, and there is no strong current exploitation signal like KEV listing or active campaign reporting to offset that friction.

Why not lower?

It is not lower because if the weak posture still exists on admin jump boxes, terminal servers, or help-desk paths, the attacker can steal credentials that matter a lot. This is also one of those findings that looks academic until it intersects with flat internal networks, branch links, unmanaged Wi-Fi, or legacy remote-access habits.

05 · Compensating Control

What to do — in priority order.

Require NLA or force TLS — Set RDP listeners to require NLA and preferably SecurityLayer=2 so the classic unauthenticated server-spoofing path is closed. For a LOW verdict there is no SLA (treat as backlog hygiene), but if you find this on privileged admin hosts, fold it into your next Windows baseline change rather than letting it drift.
Put RDP behind RD Gateway or VPN — Reduce raw listener exposure and make on-path interception materially harder by forcing users through a controlled access plane. For LOW, there is no SLA (treat as backlog hygiene), but prioritize this first anywhere RDP still crosses shared or semi-trusted networks.
Bind trusted server-auth certificates — Use certificates with the correct Server Authentication purpose and names matching what users connect to; this removes the anonymous, unverifiable server identity problem. For LOW, there is no SLA (treat as backlog hygiene), but fix admin infrastructure before general workstation use cases.
Constrain who can admin over RDP — Use tiered admin accounts, PAWs, and restricted source networks so a stolen session has less downstream value. For LOW, there is no SLA (treat as backlog hygiene), but this materially lowers blast radius even if a session were intercepted.

What doesn't work

Changing the RDP port does not fix server authentication; it only changes where the weak handshake happens.
EDR on the endpoint does not reliably stop an on-path spoofed handshake because the abuse happens in transit before the victim notices.
Training users to click through certificate warnings is worse than useless here; it conditions them to accept the exact signal that would expose a sloppy MiTM.

06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host or through PowerShell Remoting with local administrator rights. Example: powershell.exe -ExecutionPolicy Bypass -File .\check-rdp-mitm.ps1; it reads the local RDP listener config and reports VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# check-rdp-mitm.ps1

# Purpose: Detect classic RDP MiTM exposure associated with Nessus plugin 18405 / CVE-2005-1794 posture.

# Exit codes:

#   0 = PATCHED

#   1 = VULNERABLE

#   2 = UNKNOWN


$ErrorActionPreference = 'Stop'

function Write-Result {
    param(
        [string]$State,
        [int]$Code,
        [string]$Reason
    )
    Write-Output "$State - $Reason"
    exit $Code
}

try {
    $tsKey = 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server'
    $rdpTcpKey = 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'

    $tsProps = Get-ItemProperty -Path $tsKey
    $rdpEnabled = $true
    if ($null -ne $tsProps.fDenyTSConnections -and [int]$tsProps.fDenyTSConnections -eq 1) {
        $rdpEnabled = $false
    }

    if (-not $rdpEnabled) {
        Write-Result -State 'PATCHED' -Code 0 -Reason 'RDP listener is disabled (fDenyTSConnections=1).'
    }

    $securityLayer = $null
    $userAuth = $null
    $sslThumb = $null
    $source = $null

    try {
        $wmi = Get-CimInstance -Namespace 'root/cimv2/terminalservices' -ClassName 'Win32_TSGeneralSetting' -Filter "TerminalName='RDP-tcp'"
        if ($wmi) {
            $securityLayer = [int]$wmi.SecurityLayer
            $userAuth = [int]$wmi.UserAuthenticationRequired
            $sslThumb = [string]$wmi.SSLCertificateSHA1Hash
            $source = 'WMI/CIM'
        }
    }
    catch {
        # fall through to registry

    }

    if ($null -eq $securityLayer -or $null -eq $userAuth) {
        $rdpProps = Get-ItemProperty -Path $rdpTcpKey
        if ($null -ne $rdpProps.SecurityLayer) { $securityLayer = [int]$rdpProps.SecurityLayer }
        if ($null -ne $rdpProps.UserAuthentication) { $userAuth = [int]$rdpProps.UserAuthentication }
        if ($null -ne $rdpProps.SSLCertificateSHA1Hash) { $sslThumb = [string]$rdpProps.SSLCertificateSHA1Hash }
        $source = 'Registry'
    }

    if ($null -eq $securityLayer -or $null -eq $userAuth) {
        Write-Result -State 'UNKNOWN' -Code 2 -Reason 'Could not read RDP SecurityLayer/UserAuthentication settings.'
    }

    $securityLayerName = switch ($securityLayer) {
        0 { 'RDP' }
        1 { 'Negotiate' }
        2 { 'TLS' }
        default { "Unknown($securityLayer)" }
    }

    $nlaEnabled = ($userAuth -eq 1)
    $tlsForced = ($securityLayer -eq 2)

    # Nessus 18405 guidance: force SSL/TLS and/or require NLA.

    # We treat the host as vulnerable when RDP is enabled and neither TLS is forced nor NLA is required.

    if (-not $tlsForced -and -not $nlaEnabled) {
        $reason = "RDP enabled; SecurityLayer=$securityLayerName; NLA disabled; config source=$source"
        if ([string]::IsNullOrWhiteSpace($sslThumb)) {
            $reason += '; no bound SSL thumbprint observed'
        }
        Write-Result -State 'VULNERABLE' -Code 1 -Reason $reason
    }

    $reason = "RDP enabled; SecurityLayer=$securityLayerName; NLA=$nlaEnabled; config source=$source"
    if (-not [string]::IsNullOrWhiteSpace($sslThumb)) {
        $reason += '; SSL certificate thumbprint present'
    }
    Write-Result -State 'PATCHED' -Code 0 -Reason $reason
}
catch {
    Write-Result -State 'UNKNOWN' -Code 2 -Reason $_.Exception.Message
}

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not treat this like a wormable RDP emergency; treat it like RDP hardening debt. For a LOW verdict there is noisgate mitigation SLA: no SLA (treat as backlog hygiene) and noisgate remediation SLA: no SLA (treat as backlog hygiene), so document the finding, validate which listeners still have NLA off / TLS not forced, and roll the fix into your next Windows security-baseline cycle—starting with jump boxes, terminal servers, help-desk targets, and any RDP path that crosses shared or semi-trusted networks.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.