Microsoft has advised that a remote code execution vulnerability exists within its Windows Remote Desktop Services (RDS) when an unauthenticated attacker connects to the target system using Remote Desktop Protocols (RDP) and sends specially crafted requests.
The vulnerability requires no user interaction and occurs pre-authentication. Attackers can use this exploitation to execute arbitrary code in target systems and then install programs or create new accounts with full user rights.
An attacker only needs to send a specially crafted request to the target systems RDS, through an RDP, to exploit the vulnerability.
The CVE-2019-0708 update addresses the vulnerability by correcting how Remote Desktop Services handle connection requests.