Microsoft Security Response Center

**What is required to exploit this vulnerability?** An authenticated user might be tricked into connecting to a malicious remote desktop server in which the remote desktop host server sends a specially crafted PDU (Server RDP Preconnection) targeting the remote client's drive redirection virtual channel. The end result is a potential for remote code execution on the victims machine.

**Is the Preview Pane an attack vector for this vulnerability?** No, the Preview Pane is not an attack vector.

**In what way does an attacker elevate privileges?** A domain user could use this vulnerability to elevate privileges to a domain admin.

**How could an attacker exploit the vulnerability?** An authenticated attacker with access to the domain could perform remote code execution on the Sharepoint server to elevate themselves to Sharepoint admin.

**How could an attacker exploit this vulnerability?** In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.

**Are the any prerequisites to a successful attack?** Yes, only systems with the IPSec service running are vulnerable to this attack.

**Are the any prerequisites to a successful attack?** Yes, only systems with the IPSec service running are vulnerable to this attack.

**What type of privileges could an attacker gain through this vulnerability?** A local, authenticated attacker could gain elevated privileges through a vulnerable file system component.

**Are the any prerequisites to a successful attack?** Yes, only systems with the IPSec service running are vulnerable to this attack.

**According to the score, the attack vector is Physical. How would an attacker exploit this vulnerability?** To exploit this vulnerability, an attacker with physical access to a vulnerable system could insert a specially crafted USB device. **Are there additional attack vectors?** This vulnerability can also be exploited through a Local attack vector. An attacker authenticated as an administrator on a vulnerable system could mount a specially crafted virtual hard drive (VHD) to exploit the system. This scenario results in a lower CVSS score which is why the primary attack vector is listed as Physical in our documentation.