CVE-2018-0886

HIGH

Microsoft Windows - Remote Code Execution via CredSSP Authentication

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2018-0886. PoCs published by Preempt, qazbnm456, preempt.

AI-analyzed exploit summary This exploit leverages a man-in-the-middle attack against CredSSP to achieve remote code execution by relaying authentication. It requires a modified version of the rdpy library and a custom-generated certificate.

Description

The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka "CredSSP Remote Code Execution Vulnerability".

Exploits (4)

exploitdb WORKING POC

by Preempt · remotewindows

https://www.exploit-db.com/exploits/44453

View Code ZIP pw:eip

This exploit leverages a man-in-the-middle attack against CredSSP to achieve remote code execution by relaying authentication. It requires a modified version of the rdpy library and a custom-generated certificate.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows CredSSP (pre-patch for CVE-2018-0886)

No auth needed

Prerequisites: Ubuntu 16.04 environment · Custom certificate for Server Authentication · Modified rdpy library

MITRE ATT&CK

T1189 - Drive-by Compromise T1557 - Adversary-in-the-Middle

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WRITEUP 3,480 stars

by qazbnm456 · poc

https://github.com/qazbnm456/awesome-cve-poc/tree/master/CVE-2018-0886.md

View Code ZIP pw:eip

This repository provides a technical writeup and references for CVE-2018-0886, a vulnerability in the Credential Security Support Provider protocol (CredSSP) used in MS-RDP. It includes links to the original research and a PoC repository but does not contain exploit code itself.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Theoretical

Target: Microsoft Windows (CredSSP in MS-RDP)

No auth needed

Prerequisites: Network access to target system · CredSSP protocol enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 269 stars

by preempt · poc

https://github.com/preempt/credssp

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2018-0886, which targets a vulnerability in the Credential Security Support Provider protocol (CredSSP) used in Remote Desktop Protocol (RDP). The exploit generates a malicious certificate to achieve remote code execution (RCE) on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows CredSSP (Remote Desktop Protocol)

No auth needed

Prerequisites: A valid certificate for Server Authentication · Python environment with specific dependencies (e.g., rdpy, impacket) · Network access to the target server

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WRITEUP 14 stars

by xbl3 · poc

https://github.com/xbl3/awesome-cve-poc_qazbnm456/tree/master/CVE-2018-0886.md

View Code ZIP pw:eip

This repository provides a technical writeup and references for CVE-2018-0886, a vulnerability in Microsoft's Credential Security Support Provider protocol (CredSSP). It includes links to the original research and a PoC repository but does not contain direct exploit code.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows CredSSP

No auth needed

Prerequisites: Network access to target system · CredSSP protocol usage

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (7)

Core 7

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1040506

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/103265

Third Party Advisory, US Government Resource x_refsource_misc

https://ics-cert.us-cert.gov/advisories/ICSA-18-198-03

Patch, Vendor Advisory x_refsource_confirm

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0886

Exploit, Third Party Advisory x_refsource_misc

https://blog.preempt.com/security-advisory-credssp

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44453/

Exploit, Third Party Advisory x_refsource_misc

https://github.com/preempt/credssp

Scores

CVSS v3 7.0

EPSS 0.8246

EPSS Percentile 99.6%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-287

Status published

Products (16)

microsoft/windows_10

microsoft/windows_10 1511

microsoft/windows_10 1607

microsoft/windows_10 1703

microsoft/windows_10 1709

microsoft/windows_10 1803

microsoft/windows_7

microsoft/windows_8.1

microsoft/windows_rt_8.1

microsoft/windows_server_2008

... and 6 more

Published Mar 14, 2018

Tracked Since Feb 18, 2026