May 02, 2025 07:00:00

It is possible to log in with an old password that has already been changed using the Windows Remote Desktop Protocol, and since Microsoft has made it an official specification, it is pointed out that it will become a permanent backdoor

It has become clear that Windows

Remote Desktop Protocol (RDP) allows users to log in even with old passwords that have already been changed. Since Microsoft has stated that this is an 'official specification' and that it has no intention of changing it, security experts have pointed out that this is a 'permanently existing backdoor.'

Windows RDP lets you log in using revoked passwords. Microsoft is OK with that. - Ars Technica
https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/

Changing your password is the first step to take if your password is leaked or your credentials are compromised. Everyone would think that changing your password would prevent you from accessing your device or account. However, it has been revealed that Windows RDP (a mechanism unique to Windows that allows remote users to log in and operate as if they were accessing the machine directly) continues to trust the previous password even after the user has changed it. Microsoft has also described this specification as 'official design to prevent users from being logged out' and has stated that they have no plans to change it.

The RDP vulnerability was discovered by independent security researcher Daniel Wade, who reported it to the Microsoft Security Response Center (MSRC) in early April 2025. Wade detailed the steps to reproduce the vulnerability and warned MSRC that changing the password does not in any way prevent access to associated devices or accounts.

'This is not just a bug -- it's a breakdown in trust,' Wade wrote in the report. 'People believe that changing their passwords will stop unauthorized access.'

In response to Wade's point, Microsoft explained that this behavior is 'a design decision to ensure that at least one user account can always log in, no matter how long the system has been offline. ' Microsoft has no plans to fix this behavior because it does not meet the definition of a security vulnerability.

The 'ability to log in via RDP using a changed password' feature is available when the Windows terminal signed in with a Microsoft account or Azure account has remote desktop access enabled.

Not only can users log into their Microsoft or Azure accounts over RDP using a dedicated password that is matched against locally stored credentials, but they can also log into these accounts using the credentials of the online account they used to sign in to the device.

According to Wade, there are cases where multiple old passwords are valid, but the new password is not. This allows persistent RDP access that circumvents cloud authentication, multi-factor authentication, and

conditional access policies . Regarding this specification, Wade pointed out that 'If a Microsoft account or Azure account is compromised, it is possible to carry out a cyber attack that can lead to significant losses by exploiting the RDP specification.'

If your credentials have been compromised, the first thing you should do is change your password to prevent them from being used to access sensitive information. Changing your password will prevent attackers from logging into your Microsoft or Azure accounts, but they will still be able to use your old password to access your Windows machine via RDP.

Wade said this feature of RDP 'is like silently creating a remote back door on any system where a password has ever been cached.'

Will Dorman, a senior vulnerability analyst at security firm Analygence, said, 'From a security perspective, this doesn't make sense. If I'm a systems administrator, I expect that the minute I change the password on an account, the old credentials for that account don't work anywhere. But that's not the case in reality,' questioning the RDP specification.

The reason why RDP allows you to log in with an old password is because it caches the credentials on the local machine's hard drive. When a user logs in for the first time with their Microsoft or Azure account credentials, RDP checks the validity of the password online. After that, Windows stores the credentials on the local machine in an encrypted format, and from then on, it only validates the locally stored credentials against the password entered during login, but does not validate online. This allows you to log in with an old, changed password.

In response to Wade's report, Microsoft added the following note to the official RDP topic :

Notes

When a user performs a local logon, their credentials are validated locally against the cached copy before being authenticated over the network by the identity provider. If the cache validation is successful, the user can access the desktop even if the device is offline. However, if the user changes their password in the cloud, the cached credentials are not updated, which means that they can still access the local computer by using the old password.

However, Dorman pointed out that Microsoft's warnings are not clear enough for most administrators to see, and criticized Microsoft's response for not being clear on the steps users should take to lock down RDP if their Microsoft or Azure accounts are compromised. The only solution is to configure RDP to authenticate only with locally stored credentials.

According to a Microsoft spokesperson, Wade is not the first to report the RDP specification as a vulnerability.