Critical Remote Code Execution Vulnerability CVE-2019-0708 Addressed in Patch Tuesday UpdatesMicrosoft has released its monthly security update for May. Included in this month's Patch Tuesday release is CVE-2019-0708, a critical remote code execution vulnerability that could allow an unauthenticated remote attacker to execute remote code on a vulnerable target running Remote Desktop Protocol (RDP). Tenable recommends applying the full May 2019 Security Update from Microsoft for all vulnerable assets. For CVE-2019-0708, Microsoft has provided updates for Windows 7, Windows Server 2008 and Windows Server 2008 R2. Additionally, Microsoft has provided patches for out-of-support systems, including Windows XP, Windows XP Professional, Windows XP Embedded and Windows Server 2003.For more information, please visit our blog.

Good afternoon! A customer today raised an interesting question regarding scanning for this CVE. Will Nessus be able to scan devices susceptible/vulnerable to this vuln in particular if under NLA (Network Level Authentication), given that for the exploit on NLA to succeed an authentication is required - and so might the scan to detect it?

Our scan currently looks for the installed KB from the windows update, and doesn't include logic to look for the target's NLA configuration. But! You can use plugin 58453 to see if NLA is enabled or not on your target. Microsoft does state though: "...affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate. " This is true even if NLA is enabled.We like to err on the side of caution, and even though NLA being enabled would make exploitation less likely, it doesn't completely mitigate the risk of attack, which is why we still want this plugin to notify customers that are unpatched.

Are there any plugins being developed to detect CVE-2019-0708 remotely, without credentials?

Hello,Yes, although we don't have an exact ETA for when development will be complete. This plugin search will automatically update with our remote check for CVE-2019-0708 once it's live.

For the environment I'm working on, even with NLA disabled Nessus still can't detect this vulnerability. Can anyone help me with this please?

Critical Remote Code Execution Vulnerability CVE-2019-0708...

12 Replies

jose_quintero1
7 years ago
Good afternoon! A customer today raised an interesting question regarding scanning for this CVE. Will Nessus be able to scan devices susceptible/vulnerable to this vuln in particular if under NLA (Network Level Authentication), given that for the exploit on NLA to succeed an authentication is required - and so might the scan to detect it?
Anonymous
7 years ago
Our scan currently looks for the installed KB from the windows update, and doesn't include logic to look for the target's NLA configuration.
But! You can use plugin 58453 to see if NLA is enabled or not on your target. Microsoft does state though: "...affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate. " This is true even if NLA is enabled.
We like to err on the side of caution, and even though NLA being enabled would make exploitation less likely, it doesn't completely mitigate the risk of attack, which is why we still want this plugin to notify customers that are unpatched.
- kk_nair1
  7 years ago
  Hello Ryan,
  Just small clarification required on your comments.Do you mean to say that even after applying KB, Nessus will still show it as unpatched. If possible,could you please provide us the MS KB's to be applied.
- anthony_c_breat
  7 years ago
  Ryan can you tell us what KB the plugin 125313 Microsoft RDP RCE (CVE-2019-0708) (uncredentialed check) is looking for?
jody_rigby
7 years ago
Are there any plugins being developed to detect CVE-2019-0708 remotely, without credentials?
- Anonymous
  7 years ago
  Hello,
  Yes, although we don't have an exact ETA for when development will be complete. This plugin search will automatically update with our remote check for CVE-2019-0708 once it's live.
Anonymous
7 years ago
For the environment I'm working on, even with NLA disabled Nessus still can't detect this vulnerability. Can anyone help me with this please?
Anonymous
7 years ago
Should this be a credentialed scanning? Because I have tried scanning with only the plugins specific to this vulnerability but it did not see anything.
Thanks
- Anonymous
  7 years ago
  I already did a credentialed scan but still can't detect this vulnerability
  - jody_rigby
    7 years ago
    If you go to https://www.tenable.com/plugins/search?q=cves%3A(%22cve-2019-0708%22)&sort=&page=1 and click on the plugins you will see that they are "Local" meaning they require credentials. Also, you will see additional plugins under dependencies. You will need to have those plugins enabled as well.

Vulnerability Watch

Forum Discussion

Critical Remote Code Execution Vulnerability CVE-2019-0708...

12 Replies

Recent Discussions

Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234)

Frequently Asked Questions About Chinese State-Sponsored Actors Compromising Global Networks

CVE-2025-7775: Citrix NetScaler ADC and Gateway Zero-Day RCE Vulnerability Exploited in the Wild

CVE-2025-25256: Proof of Concept Released for Fortinet FortiSIEM Command Injection Vulnerability

Microsoft’s August 2025 Patch Tuesday Addresses 107 CVEs (CVE-2025-53779)

Americas

Europe

Asia / Australia