CVE-2019-0887

HIGH

Remote Desktop Client < 1.2.2691 - Authenticated Remote Code Execution via Clipboard Redirection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-0887. PoCs published by t43Wiu6, qianshuidewajueji.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2019-0887, which leverages DLL hooking to manipulate file operations and clipboard data, demonstrating privilege escalation via a malicious DLL injection technique.

Description

A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an authenticated attacker abuses clipboard redirection, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

Exploits (2)

nomisec WORKING POC 18 stars

by t43Wiu6 · poc

https://github.com/t43Wiu6/CVE-2019-0887

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2019-0887, which leverages DLL hooking to manipulate file operations and clipboard data, demonstrating privilege escalation via a malicious DLL injection technique.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows (specific versions affected by CVE-2019-0887)

No auth needed

Prerequisites: Administrative or SYSTEM privileges to inject the DLL · Target system vulnerable to CVE-2019-0887

MITRE ATT&CK

T1055 - Process Injection T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 11 stars

by qianshuidewajueji · poc

https://github.com/qianshuidewajueji/CVE-2019-0887

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2019-0887, which leverages a path traversal vulnerability in Windows to achieve local privilege escalation. The exploit uses DLL injection and API hooking to manipulate file paths and execute arbitrary commands.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (multiple versions)

No auth needed

Prerequisites: Local access to the target system · Ability to load a malicious DLL

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/108964

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0887

Technical Description, Third Party Advisory x_refsource_misc

https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/

Technical Description, Third Party Advisory x_refsource_misc

https://research.checkpoint.com/reverse-rdp-the-hyper-v-connection/

Scores

CVSS v3 8.0

EPSS 0.6815

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (20)

microsoft/remote_desktop_client < 1.2.2691

microsoft/windows_10

microsoft/windows_10 1607

microsoft/windows_10 1703

microsoft/windows_10 1709

microsoft/windows_10 1803

microsoft/windows_10 1809

microsoft/windows_10 1903

microsoft/windows_11_21h2 10.0.22000.376

microsoft/windows_7

... and 10 more

Published Jul 15, 2019

Tracked Since Feb 18, 2026