← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:58453 · Disclosed 2012-03-23

Terminal Services Doesn&#x27

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is leaving the lobby unlocked while the offices still need badges

Tenable plugin 58453 flags Windows Remote Desktop / Terminal Services hosts that do not require Network Level Authentication (NLA). In practice, that means systems with RDP enabled where UserAuthentication=0 on HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp, regardless of Windows version, can complete more of the RDP session setup before the user is authenticated.

Tenable's MEDIUM label is understandable as a security-control gap, but for enterprise patch prioritization the reality is lower. This is not memory corruption, auth bypass, or code execution by itself; it is a misconfiguration that increases pre-auth exposure and weakens RDP posture. Unless the host is internet-reachable on 3389 or sits behind a weak remote-access design, this should be treated as LOW backlog hygiene, not emergency patch work.

"Plugin 58453 is a hardening miss, not a stand-alone exploit; fix it, but don't let it jump your real patch queue."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find reachable RDP

An attacker first needs network reachability to the target's RDP service, usually TCP/3389, using tools such as masscan, nmap, or Nessus. If they can touch the service directly, they can test whether NLA is required using nmap --script rdp-enum-encryption or an RDP client handshake.
Conditions required:
  • RDP is enabled on the target
  • A route exists from the attacker to the RDP listener
  • Firewall or gateway policy allows the connection
Where this breaks in practice:
  • Most enterprises place RDP behind VPN, RD Gateway, ZTNA, or internal segmentation
  • Many endpoints never expose 3389 externally
  • NGFW policy often blocks direct inbound RDP
Detection/coverage: Strong scanner coverage. Nessus detects this remotely; nmap NSE can often identify NLA behavior; exposure management tools will also catch open 3389.
STEP 02

Exploit the missing guardrail

With NLA disabled, the server permits more of the RDP negotiation before the user is authenticated. Offensive clients like xfreerdp, rdesktop, or custom RDP tooling can interact with the service pre-auth, which increases brute-force surface, pre-auth resource consumption, and the usefulness of any separate RDP protocol weakness.
Conditions required:
  • Direct RDP connectivity
  • Server configured to not require NLA
Where this breaks in practice:
  • TLS, valid server certificates, and hardened security layers still reduce MITM practicality
  • This step does not itself grant credentials or code execution
  • Some environments front-end RDP with RD Gateway, which changes exposure materially
Detection/coverage: Partial coverage. Network telemetry can see repeated RDP session setup; Windows logs are stronger once authentication attempts begin than during pure protocol probing.
STEP 03

Abuse credentials or chain another weakness

The attacker still needs a second win: guessed credentials via hydra or Crowbar, stolen creds, or a separate RDP flaw on an unpatched system. Missing NLA is an amplifier here, not the primary exploit primitive.
Conditions required:
  • Weak, reused, or stolen credentials, or
  • A separate exploitable RDP weakness on the target
Where this breaks in practice:
  • MFA at RD Gateway breaks straightforward credential abuse
  • Account lockout and smartcard-only policies slow brute force
  • Patched systems are not made vulnerable solely by this setting
Detection/coverage: Good coverage for credential attacks: Windows 4625, gateway auth logs, lockout events, and EDR detections on repeated remote logons.
STEP 04

Land an interactive session

If valid access is obtained, the result is a normal RDP session and all the usual post-auth risks apply: lateral movement, admin tool execution, credential exposure, and persistence. Tools after access are the standard Windows tradecraft set, from mstsc and PsExec to native admin utilities.
Conditions required:
  • Valid account permitted to log on through Remote Desktop Services
  • Target role allows meaningful access
Where this breaks in practice:
  • Least privilege and jump-host models limit blast radius
  • Privileged Access Workstations and JIT/JEA reduce admin usefulness
  • EDR and session monitoring often catch follow-on tooling
Detection/coverage: High coverage. Look for 4624 logon type 10, TerminalServices session events, privilege escalation, and remote admin process chains.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo known CISA KEV entry applies because this is a Nessus configuration finding, not a CVE. There is no discrete exploit campaign attributable to plugin 58453 alone.
Proof-of-concept availabilityNo stand-alone exploit PoC exists because there is no single software flaw to weaponize. Relevant offensive tooling is generic RDP tradecraft: nmap (rdp-enum-encryption), xfreerdp, hydra, and Crowbar.
EPSSN/A — EPSS is CVE-based, and plugin 58453 is a posture finding rather than a CVE-tracked vulnerability.
KEV statusN/Ano CVE identifier, therefore no KEV listing or KEV due date.
Vendor severity / scoreTenable rates it MEDIUM with manual scoring based on a security feature: CVSS v3 4.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N; Tenable also lists CVSS v2 4.3.
Affected rangeAny Windows system with RDP/Terminal Services enabled and not requiring NLA, typically UserAuthentication=0 under RDP-Tcp. This is a configuration state, not a version-bounded bug.
Fixed stateThere is no patch version. The fix is to require NLA via local settings, GPO, or MDM policy: *Require user authentication for remote connections by using Network Level Authentication*.
Exposure realityRisk rises sharply only when 3389 is directly reachable from untrusted networks. If RDP is internal-only or fronted by RD Gateway/VPN/ZTNA, reachable population drops hard and so should priority.
Detection coverageTenable has direct remote coverage via plugin 58453. Defenders can verify locally by reading HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication.
Disclosure / provenanceTenable published plugin 58453 on 2012-03-23. The underlying control guidance comes from Microsoft Remote Desktop / NLA documentation and CredSSP hardening guidance.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (2.9/10)

The decisive factor is that missing NLA does not create compromise by itself; the attacker still needs reachable RDP plus credentials or another RDP bug. That combination makes this a posture weakness with environment-dependent risk, not a front-of-queue patch event for a 10,000-host estate.

HIGH Downgrade from vendor MEDIUM to operational LOW for default enterprise prioritization
MEDIUM Risk increases materially if any affected hosts expose direct inbound RDP to the internet

Why this verdict

  • Not a software exploit: plugin 58453 reports a missing control, not RCE, auth bypass, or privilege escalation. That alone pushes the score down from Tenable's baseline.
  • Requires attacker position first: the attacker needs network reachability to RDP. In real enterprises that usually implies VPN access, internal foothold, or a specifically exposed admin service — all of which narrow reachable population.
  • Still needs a second win: absent NLA does not authenticate the attacker. They still need valid credentials, password spray success, or some other RDP weakness, and modern controls like RD Gateway, MFA, account lockout, and EDR commonly break that chain.

Why not higher?

This is not equivalent to BlueKeep-style pre-auth code execution. The blast radius is heavily gated by whether RDP is reachable at all and whether the environment allows direct password-based RDP without stronger controls. In most mature enterprises, those prerequisites are exactly where the chain dies.

Why not lower?

It is still a real security regression. Disabling NLA expands pre-auth attack surface, weakens server-authentication posture, and makes exposed RDP easier to abuse or chain with credential attacks. On externally reachable RDP systems, this finding deserves manual escalation even if the default portfolio score stays LOW.

05 · Compensating Control

What to do — in priority order.

  1. Enforce NLA by policy — Set the Windows policy to require NLA for all managed RDP endpoints and verify UserAuthentication=1. Because the reassessed verdict is LOW, there is no SLA — treat this as backlog hygiene unless the host is internet-facing, in which case accelerate outside the baseline rating.
  2. Remove direct RDP exposure — Push remote administration behind RD Gateway, VPN, or ZTNA so the attacker cannot reach raw 3389 from untrusted networks. For a LOW verdict there is no SLA, but internet-exposed exceptions should be corrected immediately as an architectural defect.
  3. Require MFA at the entry point — Where RDP is still needed, put MFA on RD Gateway or the remote-access control plane so credential theft or spraying does not turn this misconfiguration into an incident. Baseline timing is backlog hygiene because LOW carries no SLA.
  4. Monitor type 10 logons and failed RDP auth — Alert on Windows 4624 logon type 10, 4625 failures, lockouts, and unusual RDP session creation so exposed exceptions are watched even before reconfiguration is complete. For LOW, this is hygiene work rather than an SLA-bound mitigation.
What doesn't work
  • Monthly patching alone doesn't help because there is no vendor patch that magically re-enables NLA; this is a configuration problem.
  • EDR alone won't stop unauthenticated RDP negotiation at the network edge and often sees the problem only after authentication attempts or session launch.
  • Strong passwords alone are not enough if direct RDP exposure remains; lack of NLA still broadens the reachable pre-auth surface and makes credential attacks more attractive.
06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host or via your endpoint management tool with local administrator or equivalent registry-read rights. Save as Test-RdpNla.ps1 and run powershell -ExecutionPolicy Bypass -File .\Test-RdpNla.ps1; it prints VULNERABLE, PATCHED, or UNKNOWN and returns exit code 1, 0, or 2.

noisgate-verify.ps1
POWERSHELLREAD-ONLYSAFE
# Test-RdpNla.ps1

# Checks whether Windows RDP requires Network Level Authentication (NLA).

# Exit codes:

#   0 = PATCHED   (NLA required)

#   1 = VULNERABLE (NLA not required)

#   2 = UNKNOWN   (cannot determine / RDP not installed / access issue)


$ErrorActionPreference = 'Stop'
$regPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'

try {
    if (-not (Test-Path $regPath)) {
        Write-Output 'UNKNOWN - RDP-Tcp registry path not found'
        exit 2
    }

    $props = Get-ItemProperty -Path $regPath

    if ($null -eq $props.UserAuthentication) {
        Write-Output 'UNKNOWN - UserAuthentication value missing'
        exit 2
    }

    $userAuth = [int]$props.UserAuthentication
    $securityLayer = if ($null -ne $props.SecurityLayer) { [int]$props.SecurityLayer } else { -1 }
    $portNumber = if ($null -ne $props.PortNumber) { [int]$props.PortNumber } else { 3389 }

    if ($userAuth -eq 1) {
        Write-Output ("PATCHED - NLA required (UserAuthentication=1, SecurityLayer={0}, Port={1})" -f $securityLayer, $portNumber)
        exit 0
    }
    elseif ($userAuth -eq 0) {
        Write-Output ("VULNERABLE - NLA not required (UserAuthentication=0, SecurityLayer={0}, Port={1})" -f $securityLayer, $portNumber)
        exit 1
    }
    else {
        Write-Output ("UNKNOWN - Unexpected UserAuthentication value: {0}" -f $userAuth)
        exit 2
    }
}
catch {
    Write-Output ('UNKNOWN - ' + $_.Exception.Message)
    exit 2
}
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: do not treat plugin 58453 like a real patch emergency across the fleet. Triage it as an RDP hardening backlog item, then immediately carve out any exception set where 3389 is externally reachable or bypasses RD Gateway/VPN controls. For the default LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA — treat as backlog hygiene; standardize NLA enforcement through GPO/MDM and close the item during your normal remote-access hardening cycle. If you discover any internet-exposed affected hosts, override the baseline and fix those first outside the generic LOW queue.

Sources

  1. Tenable Nessus Plugin 58453
  2. Microsoft Learn - Enable Remote Desktop on your PC
  3. Microsoft Learn - UserAuthentication setting for RDP
  4. Microsoft Learn - RemoteDesktopServices Policy CSP
  5. Microsoft Support - CredSSP updates for CVE-2018-0886
  6. Microsoft Learn - Remote Desktop Services overview
  7. Microsoft Learn - Remote Credential Guard
  8. Microsoft Learn - Troubleshoot authentication errors when you use RDP to connect to Azure VM
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.