CVE-2019-9510

Microsoft Windows RDP can bypass the Windows lock screen

Description

A vulnerability in Microsoft Windows 10 1803 and Windows Server 2019 and later systems can allow authenticated RDP-connected clients to gain access to user sessions without needing to interact with the Windows lock screen. Should a network anomaly trigger a temporary RDP disconnect, Automatic Reconnection of the RDP session will be restored to an unlocked state, regardless of how the remote system was left. By interrupting network connectivity of a system, an attacker with access to a system being used as a Windows RDP client can gain access to a connected remote system, regardless of whether or not the remote system was locked. This issue affects Microsoft Windows 10, version 1803 and later, and Microsoft Windows Server 2019, version 2019 and later.

Remediation

Workaround:

  • Disable RDP automatic reconnection on RDP servers. Disconnect RDP sessions instead of locking them.

Categories

5.3
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.73% Top 30%
Vendor Advisory microsoft.com Vendor Advisory microsoft.com
Affected: Microsoft Windows 10 or newer system using RDP
Affected: Microsoft Windows Server
Published at:
Updated at:

References

Link Tags
https://www.kb.cert.org/vuls/id/576688/ third party advisory us government resource
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713%28v=ws.11%29
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e729948a-3f4e-4568-9aef-d355e30b5389 patch vendor advisory
https://social.technet.microsoft.com/Forums/windowsserver/en-US/1fd171de-a1b5-4721-86bf-082e4a375049/rds-2019-but-probably-other-versions-as-well-locked-rdp-session-logs-in-after-session-reconnect patch vendor advisory

Frequently Asked Questions

What is the severity of CVE-2019-9510?
CVE-2019-9510 has been scored as a medium severity vulnerability.
How to fix CVE-2019-9510?
As a workaround for remediating CVE-2019-9510: Disable RDP automatic reconnection on RDP servers. Disconnect RDP sessions instead of locking them.
Is CVE-2019-9510 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2019-9510 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2019-9510?
CVE-2019-9510 affects Microsoft Windows 10 or newer system using RDP, Microsoft Windows Server.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.