Cybersecurity firm Preempt Security Inc. today detailed a critical vulnerability in the code used in Microsoft Corp.’s Remote Desktop and WinRM that allows attackers to steal data and run remote code.

The vulnerability pertains to a logic flaw in Credential Security Support Provider protocol, known as CredSSP, Microsoft code that lets an application delegate a user’s credentials from the client to the target server for remote authentication. Hackers can set up a man-in-the-middle attack, waiting for a CredSSP session to occur and then stealing the session authentication data and performing a Remote Procedure Call attack.

Microsoft today issued a patch for the vulnerability during its Patch Tuesday release.

“The attack enables remote code execution and while being mathematically and technically complex, it is very easy to utilize and has nearly 100 percent success,” a spokesperson for Preempt told SiliconANGLE. “In addition, it has the potential to impact the millions of networks relying on Windows authentication protocols to secure their logins and, consequently, their network’s integrity.”

The potential of the vulnerability to be used to compromise enterprise networks gets worse: Preempt said an attack using it could be mounted over Wi-Fi or through physical access.

“This vulnerability is a big deal, and while no attacks have been detected in the wild, there are a few real-world situations where attacks can occur,” said Roman Blachman, chief technology officer and co-founder at Preempt. “Ensuring that your workstations are patched is the logical, first step to preventing this threat. It’s important for organizations to use real-time threat response solutions to mitigate these types of threats.”

The good news is that organizations can protect themselves from this kind of attack. Putting aside the obvious, such as making sure software is up-to-date, Preempt recommended that enterprises block the relevant application ports (RDP, DCE/RPC), reduce privileged account usage as much as possible and use nonprivileged accounts whenever applicable.

Microsoft itself has issued a security warning, called CVE-2018- 0886, with more details of the vulnerability and details on how to patch it.

Image: Preempt