QwikSec

Security Database

CVE

CWE

Training

CVE-2022-24883

Published: Apr 26, 2022

Modified: Nov 3, 2025

PUBLISHED

CVSS v3.1

7.4

HIGH

Description

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left.

Vendor	Product	Versions
FreeRDP	FreeRDP	affected `< 2.7.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qxm3-v2r6-vmwf

https://github.com/FreeRDP/FreeRDP/commit/4661492e5a617199457c8074bad22f766a116cdc

https://github.com/FreeRDP/FreeRDP/commit/6f473b273a4b6f0cb6aca32b95e22fd0de88e144

https://github.com/FreeRDP/FreeRDP/releases/tag/2.7.0

FEDORA-2022-dc48a89918

vendor-advisory

FEDORA-2022-a3e03a200b

vendor-advisory

FEDORA-2022-b0a47f8060

vendor-advisory

vendor-advisory

[debian-lts-announce] 20231117 [SECURITY] [DLA 3654-1] freerdp2 security update

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.