Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness

medium Nessus Plugin ID 18405
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


It may be possible to get access to the remote host.


The remote version of the Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man-in-the-middle (MiTM) attack. The RDP client makes no effort to validate the identity of the server when setting up encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any sensitive information transmitted, including authentication credentials.

This flaw exists because the RDP server stores a hard-coded RSA private key in the mstlsapi.dll library. Any local user with access to this file (on any Windows system) can retrieve the key and use it for this attack.


- Force the use of SSL as a transport layer for this service if supported, or/and

- Select the 'Allow connections only from computers running Remote Desktop with Network Level Authentication' setting if it is available.

See Also

Plugin Details

Severity: Medium

ID: 18405

File Name: tssvc_mim.nasl

Version: 1.32

Type: remote

Agent: windows

Family: Windows

Published: 6/1/2005

Updated: 3/30/2021

Dependencies: windows_terminal_services.nasl, os_fingerprint_rdp.nbin, fips_rdp.nbin, rdp_credssp_detect.nbin

Risk Information

CVSS Score Source: CVE-2005-1794


Risk Factor: Medium

Score: 4


Risk Factor: Medium

Base Score: 5.1

Temporal Score: 3.8

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:2.3:a:microsoft:remote_desktop_connection:*:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:windows_terminal_services_using_rdp:*:*:*:*:*:*:*:*

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 5/28/2005

Reference Information

CVE: CVE-2005-1794

BID: 13818