CVE-2019-0708

Critical · CVSS 9.8EPSS 100.0%CISA KEVCWE-416 · Use After Free

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

References

NVD MITRE CVE.org CISA KEV

Published May 16, 2019

Community ground truth

Community verdict

2 verdicts

Not a real issue

Includes TruePositive's curated baseline from public sources — community verdicts accrue on top.

to add your verdict.

Community real-world severity: Critical (Critical 1 · High 1) — CVSS base score 9.8

In line with its CVSS base score.

Field notes & remediation

Verdicts are the quick signal — notes are the evidence and fixes behind them.

0
Field note · Tomáš NovákCurated
Pre-auth RCE in RDP, genuinely wormable — but reliable exploitation took real effort and public exploits were crash-prone for a while. Conditional in the sense that you need RDP exposed and NLA off. Where those hold, it's critical.
0
Remediation · Hanna BergCurated
Patch, enable Network Level Authentication (blocks pre-auth reach), and get RDP off the public internet behind a VPN/jump host.