Microsoft has confirmed that its Remote Desktop Protocol (RDP) allows users to log into Windows machines using passwords that have already been changed or revoked.

The company says it has no plans to change this behavior, describing it as an intentional design decision rather than a security vulnerability.

The issue came to light after independent security researcher Daniel Wade reported to the Microsoft Security Response Center that, under certain conditions, RDP will continue to accept old passwords for remote access, even after a user has changed their password due to compromise or routine security hygiene.

Wade’s findings, detailed in a report by Ars Technica, warn that this behavior undermines the very trust users place in password changes as a means to cut off unauthorized access.

“This isn’t just a bug. It’s a trust breakdown,” Wade wrote. “People trust that changing their password will cut off unauthorized access. The result? Millions of users-at home, in small businesses, or hybrid work setups- are unknowingly at risk.”

How the Vulnerability Works

The vulnerability stems from how Windows handles authentication for RDP sessions tied to Microsoft or Azure accounts. When a user logs in with such an account, Windows verifies the password online and then stores a cryptographically secured version locally.

For subsequent RDP logins, the system checks the entered password against this local cache rather than revalidating it online. If the password matches any previously valid, cached credential, even one that’s been changed or revoked, it grants access.

This means that even after a password has been changed in the cloud, the old password remains valid for RDP indefinitely. In some cases, multiple older passwords may work, while the newest one does not.

Security professionals have expressed concern over the implications. Will Dormann, a senior vulnerability analyst at Analygence, noted, “It doesn’t make sense from a security perspective. If I’m a sysadmin, I’d expect that the moment I change the password of an account, then that account’s old credentials cannot be used anywhere. But this is not the case.”

The flaw effectively bypasses cloud verification, multifactor authentication, and Conditional Access policies, creating a persistent backdoor for attackers who have obtained old credentials, reads the report published.

Microsoft’s Response: “Not a Security Vulnerability”

Despite the risks, Microsoft has refused to classify the behavior as a bug or vulnerability. The company says the design ensures that at least one user account can always log in, even if the system has been offline for a long period.

Microsoft has updated its documentation to warn users, but has not provided clear guidance on how to mitigate the risk beyond suggesting that RDP be configured to authenticate only with locally stored credentials.

A Microsoft spokesperson confirmed the company has been aware of the issue since at least August 2023, but maintains that changing the behavior could break compatibility with existing applications.

• Changing your Microsoft or Azure password does not immediately revoke RDP access for old credentials.
• There are no clear alerts or warnings when old passwords are used for RDP logins.
• Microsoft’s security tools, including Defender and Azure, do not flag this behavior.

For now, experts recommend that organizations review their RDP configurations and consider limiting remote access or enforcing local authentication to reduce exposure.

Microsoft’s stance leaves millions at risk, highlighting a fundamental disconnect between user expectations of password security and the realities of Windows’ RDP design.

Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.