Exploit (PoC) is now available for the remote code execution vulnerability (CVE-2018-0886) in MS Windows. Applying 03/2018 Patch is not enough.Using non-privileged accounts is also recommended.

Discovered by researchers at Cybersecurity firm Preempt Security, the issue (CVE-2018-0886) is a logical cryptographic flaw in CredSSP that can be exploited by a man-in-the-middle attacker with Wi-Fi or physical access to the network to steal session authentication data and perform a Remote Procedure Call attack


When a client and server authenticate over RDP and WinRM connection protocols, a man-in-the-middle attacker can execute remote commands to compromise enterprise networks.

Though researchers also warned that patching alone is not sufficient to prevent this attack, IT professionals are also required to make some configuration to apply the patch and be protected.

Blocking the relevant application ports including RDP and DCE/RPC would also thwart the attack, but researchers say this attack could even be implemented in different ways, using different protocols.

It is a good idea to decrease the use of privileged account as much as possible and instead use non-privileged accounts whenever applicable.


https://thehackernews.com/2018/03/credssp-rdp-exploit.html