Full Report
Report reveals common password use in RDP attacks, highlighting weak credentials remain a major security flaw
Analysis Summary
This article details findings from a research report by Specops concerning common passwords used in attacks targeting Remote Desktop Protocol (RDP). It is not a traditional vulnerability report detailing a specific software flaw (CVE), but rather highlights a pervasive configuration/operational risk.
# Vulnerability: Widespread Use of Weak Passwords Against Exposed RDP Services
## CVE Details
- CVE ID: N/A (This is an operational risk/threat intelligence summary, not a specific CVE.)
- CVSS Score: N/A
- CWE: CWE-798 (Use of Hard-coded Passwords) or CWE-521 (Weak Password Requirements) are conceptually related, but the core issue is improper credential hygiene.
## Affected Systems
- Products: Remote Desktop Protocol (RDP) exposed to the public internet (default port TCP 3389).
- Versions: All versions of operating systems/servers utilizing RDP that have weak or commonly predicted credentials configured.
- Configurations: Systems where RDP is externally accessible, making them vulnerable to brute-force or password-spraying attacks.
## Vulnerability Description
The fundamental weakness being exploited is the reliance on easily guessable, common passwords for user accounts secured by RDP authentication. Specops analyzed NTLMv2 password hashes captured via their honeypot network between late 2024 and March 2025. Attackers are successfully cracking these weak credentials, enabling them to gain unauthorized access to exposed RDP endpoints.
The analysis found that attackers frequently rely on basic numeric sequences and non-complex variations of the word "password."
## Exploitation
- Status: Exploited in the wild (via brute force/password spraying against exposed RDP).
- Complexity: Low (Relies solely on guessing or spraying common credentials).
- Attack Vector: Network (TCP port 3389 scanning and attack).
## Impact
- Confidentiality: High (Successful login allows access to remote systems and potentially organizational data).
- Integrity: High (If an attacker gains access, they can modify or delete data/configurations).
- Availability: Medium to High (Successful infection via RDP often leads to ransomware deployment, disrupting availability).
## Remediation
### Patches
- N/A (No specific software patch addresses weak user passwords; this is a configuration/policy issue).
### Workarounds
1. **Network Access Control:** Restrict RDP access using firewalls, only permitting connections from known static IP addresses or corporate VPNs.
2. **Multi-Factor Authentication (MFA):** Enforce MFA on all RDP login attempts, which renders stolen or guessed passwords significantly less useful.
3. **Account Lockout Policies:** Implement strict account lockout policies to slow down brute-force attempts.
4. **Credential Management:** Immediately retire all commonly observed weak passwords identified in the report (e.g., 123456, Password1, P@ssw0rd).
## Detection
- Indicators of Compromise: High volume of failed login attempts against TCP/3389 from external sources, especially utilizing common password lists.
- Detection Methods and Tools: Monitor RDP authentication logs (Security Event Log ID 4625 for logon failures) for patterns characteristic of password spraying or brute-forcing. Use intrusion detection systems (IDS) to flag mass connection attempts against port 3389.
## References
- Vendor Advisories: Specops Security Report (Details likely available on their blog/website, search for "Specops RDP password report March 2025").
- Relevant links: infosecurity-magazine-com/news/common-passwords-rdp-attacks/ (defanged)