Microsoft has confirmed it will not address a major security flaw in its Remote Desktop Protocol (RDP) that allows continued system access using revoked passwords, raising serious cybersecurity concerns.
Independent security researcher Daniel Wade recently uncovered that RDP, Microsoft's built-in remote connection technology, continues to accept old passwords stored in local system caches even after they have been changed or revoked by administrators. This behavior affects all Windows versions since Windows NT 4.0.
The flaw fundamentally undermines standard security practices where password changes are expected to immediately terminate all previous access. "People trust that changing their password will cut off unauthorized access," Wade explained.
When confronted about this vulnerability, Microsoft stated this is an intentional design choice to maintain system accessibility after extended offline periods. The company acknowledged receiving similar security reports in August 2023 but opted against modifications, citing risks of breaking compatibility with existing applications.
Security experts warn this poses substantial risks for home users, small businesses, and enterprise environments. The issue is particularly concerning in cases of compromised passwords, as attackers could maintain persistent system access without detection. Microsoft's security platforms, including Entra ID, Azure, and Defender, do not flag or alert users about continued access through previously-used passwords.
Most troubling for system administrators is that this RDP behavior cannot be disabled, leaving networks permanently exposed to this security weakness. Microsoft's stance effectively leaves millions of Windows systems with a built-in backdoor that cannot be closed through standard security measures.
The revelation has sparked debate in the cybersecurity community about the balance between maintaining legacy compatibility and implementing modern security practices. As remote work continues to grow, the implications of this unpatched RDP vulnerability may have far-reaching consequences for organizational security.