Critical RDP Vulnerability Allows Persistent Access with Revoked Microsoft/Azure Passwords

Remote Desktop Protocol (RDP) is Microsoft’s native remote‑desktop solution built on TCP/IP, praised for low resource usage and unrestricted speed, but it traditionally requires a fixed public IP or NAT traversal for external access.

Security researcher Daniel Wade uncovered a severe flaw: when a Windows machine with RDP enabled is logged in using a Microsoft or Azure account, an attacker can log in via RDP with a previously revoked password, bypassing cloud‑based identity verification, multi‑factor authentication, and conditional‑access policies, even from a brand‑new device.

The vulnerability persists after the user changes the account password; the old credentials remain cached locally by RDP and continue to grant access, providing permanent control of the compromised system.

Microsoft acknowledged the issue, noting it has been reported before, but argued that fixing it would break compatibility for some applications and that the behavior is a deliberate design choice to ensure offline logins remain possible, thus not classifying it as a bug.

The root cause lies in RDP’s authentication flow: during the first login, the password is verified online and then stored encrypted locally; subsequent logins compare only against this cached credential, never re‑validating with the cloud service.

Microsoft’s documentation now warns that after a password change, the new password may not be usable for RDP until the remote host synchronizes, and no alerts appear in Defender, Entra ID, or Azure.

Mitigation currently requires creating a local account on the remote machine and using local RDP credentials, with frequent manual password updates.

Ironically, Microsoft has been pushing Microsoft‑account sign‑in since Windows 10 and removed the “skip network” option in Windows 11, further entrenching this risk as Windows 10 approaches end‑of‑life.