Windows RDP lets you log in using revoked passwords. Microsoft is OK with that.
arstechnica.comPublished: 4/30/2025
Summary
Microsoft's Remote Desktop Protocol (RDP) continues to trust old passwords even after users change them, leaving users potentially vulnerable. This behavior, identified by researcher Daniel Wade, is a deliberate design choice meant to ensure at least one account remains accessible regardless of system downtime. Microsoft insists this isn't an issue and won't address it, noting that users aren't notified or given an option to fix passwords automatically. This flaw could affect millions of users across various settings, including home environments and hybrid work setups, highlighting a lack of clear detection or resolution mechanisms for such vulnerabilities.