Cybersecurity experts have discovered a new exploit leveraging the Remote Desktop Protocol (RDP), a widely used tool for remote access to Windows systems. The exploit arises from the improper handling and storage of RDP bitmap cache files, which are designed to enhance performance during remote desktop sessions. These files store graphical elements and screen data from the remote session on the client’s local machine, but attackers have weaponized this feature to gain unauthorized access to sensitive user activities, such as browser sessions, login credentials, and executed commands. By analyzing and reconstructing these bitmap fragments, attackers can gain detailed insights into users’ actions, effectively “looking over their shoulder” during a session.
The exploit’s functionality depends on persistent bitmap caching, which is enabled by default in RDP clients like mstsc.exe. These cached files store fragments of the remote session’s screen, and attackers can extract and piece them together using specialized tools like BMC-Tools and RdpCacheStitcher. Once attackers have gathered enough fragments, they can reconstruct entire screens showing terminal commands, sensitive browser activities, and file system actions. This enables them to gather actionable intelligence, escalate privileges, and further compromise the network by spreading malware or stealing sensitive credentials.
The impact of this exploit is especially severe in enterprise environments, where RDP is widely used for managing multiple machines and systems.
In one case, attackers exploited the vulnerability to target service providers managing client systems remotely, exfiltrating sensitive data and spreading malware. The risk extends to regular users as well, but organizations are particularly vulnerable due to the high volume of sensitive connections and data transferred during remote sessions. Malicious actors can use the reconstructed data for phishing attacks, deploying ransomware, or simply monitoring user activities without detection.
To mitigate the risk of this exploit, cybersecurity experts recommend several defensive measures. Disabling persistent bitmap caching in RDP clients, using Virtual Private Networks (VPNs) and firewalls to secure RDP connections, and monitoring RDP sessions for unusual activity can help protect against this threat. Additionally, limiting RDP usage to necessary tasks and applying regular system updates can further reduce the risk of exploitation. As remote and hybrid work models become more prevalent, securing RDP connections has become an essential priority for organizations to prevent significant cybersecurity threats.
