A new zero-day vulnerability has been disclosed that could allow attackers to hijack existing Remote Desktop Services sessions in order to gain access to a computer.
The flaw can be exploited to bypass the lock screen of a Windows machine, even when two-factor authentication (2FA) mechanisms such as Duo Security MFA are used. Other login banners an organization may set up are also bypassed.
The issue is now tracked as CVE-2019-9510 and is described as an authentication bypass using an alternate path or channel.