CVE-2012-0002

Windows RDP - Remote Code Execution via Crafted RDP Packets

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2012-0002. PoCs published by Luigi Auriemma, zhangkaibin0921, Luigi Auriemma, Daniel Godas-Lopez, s pastie, ,, ,, including Metasploit module auxiliary/dos/windows/rdp/ms12_020_maxchannelids.

AI-analyzed exploit summary This is a proof-of-concept exploit for CVE-2012-0002, targeting a use-after-free vulnerability in Microsoft Terminal Services / Remote Desktop Services. The exploit triggers the vulnerability by sending a malformed T.125 ConnectMCSPDU packet with a maxChannelIds field set to a value less than or equal to 5, potentially leading to remote code execution.

Description

The Remote Desktop Protocol (RDP) implementation in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly process packets in memory, which allows remote attackers to execute arbitrary code by sending crafted RDP packets triggering access to an object that (1) was not properly initialized or (2) is deleted, aka "Remote Desktop Protocol Vulnerability."

Exploits (4)

exploitdb WORKING POC VERIFIED

by Luigi Auriemma · textdoswindows

https://www.exploit-db.com/exploits/18606

View Code ZIP pw:eip

This is a proof-of-concept exploit for CVE-2012-0002, targeting a use-after-free vulnerability in Microsoft Terminal Services / Remote Desktop Services. The exploit triggers the vulnerability by sending a malformed T.125 ConnectMCSPDU packet with a maxChannelIds field set to a value less than or equal to 5, potentially leading to remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Racy

Target: Microsoft Terminal Services / Remote Desktop Services (pre-March 2012 patches)

No auth needed

Prerequisites: Network access to port 3389 on the target system

MITRE ATT&CK

T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER

by zhangkaibin0921 · poc

https://github.com/zhangkaibin0921/MS12-020-CVE-2012-0002

View Code ZIP pw:eip

This repository contains a Go-based scanner for CVE-2012-0002, a vulnerability in Microsoft Remote Desktop Protocol (RDP). The code checks for the presence of the vulnerability by sending crafted RDP packets and analyzing responses, without executing a full exploit.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows RDP (affected versions include Windows XP, Windows Server 2008 R2)

No auth needed

Prerequisites: Network access to target RDP service (port 3389)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

by Luigi Auriemma, Daniel Godas-Lopez, s pastie, ,, , · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb

View Code ZIP pw:eip

This Metasploit module exploits a use-after-free vulnerability in Microsoft Remote Desktop (RDP) by sending a malformed T.125 ConnectMCSPDU packet with an invalid maxChannelIDs field, causing a denial-of-service (DoS) condition.

Classification

Working Poc 100%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Remote Desktop (RDP) affected by MS12-020

No auth needed

Prerequisites: Network access to the target's RDP port (3389)

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit SCANNER

by Royce Davis · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/rdp/ms12_020_check.rb

View Code ZIP pw:eip

This Metasploit module checks for the MS12-020 vulnerability in Microsoft Remote Desktop Protocol (RDP) by sending crafted packets and analyzing responses. It does not exploit the vulnerability but confirms its presence.

Classification

Scanner 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Remote Desktop Protocol (RDP) affected by MS12-020

No auth needed

Prerequisites: Network access to the target RDP service (port 3389)

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Various Sources x_refsource_misc

http://blogs.quickheal.com/remote-desktop-protocol-vulnerability-cve-2012-0002-not-dead-yet/

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-020

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14623

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id?1026790

US Government Resource third-party-advisory x_refsource_cert

http://www.us-cert.gov/cas/techalerts/TA12-073A.html

Scores

EPSS 0.8738

EPSS Percentile 99.5%

Details

CWE

CWE-94

Status published

Products (6)

microsoft/windows_7 (4 CPE variants)

microsoft/windows_server_2003

microsoft/windows_server_2008 (3 CPE variants)

microsoft/windows_server_2008 r2 (2 CPE variants)

microsoft/windows_vista

microsoft/windows_xp (2 CPE variants)

Published Mar 13, 2012

Tracked Since Feb 18, 2026