Most RDP-related breaches exploit weak credentials with insufficient monitoring.
Nearly 30 years since its introduction, Remote Desktop Protocol (RDP) continues to be one of the most consistent initial access vectors among cybercriminals.
Throughout 2025, threat groups including BianLian, Medusa, and Scattered Spider used RDP to gain access to environments before executing ransomware. Also last year, a large-scale botnet launched a wave of attacks against RDP infrastructure in the United States, leveraging RD Web Access timing attacks and RDP web client login enumeration.
But why does this long-standing software continue to play such a central role in modern attacks?
RDP and its role in business
First introduced in 1998, RDP was designed to centralize system management. It allows a server to process, store, and execute actions, while relaying the activity back across the network to the user’s screen, similar to the concept of “thin clients.”
Quickly, RDP became a standard feature in Windows environments.
With the release of Windows XP Professional in 2001, RDP capabilities expanded beyond IT administrators to end users, making remote access far more accessible. Over time, it became a key piece of Windows-based environments, widely used by IT teams for administration and by employees for remote work.
Adoption increased further in the early 2020s as organizations moved to hybrid and remote work.
RDP was built on port 3389 and still uses this as the default port today. According to Shodan, over 1.8 million devices with port 3389 are open to the world, with RDP as the named product. Over 10,000 devices have RDP open, but utilize a different port to 3389.
The role of Remote Desktop Gateway
Microsoft introduced Remote Desktop (RD) Gateway in 2008 to enable RDP over HTTPS, removing the need for a virtual private network (VPN) and adding policy-based access controls. While this made the whole RDP process more secure, it also increased configuration complexity. In practice, that complexity often leads to inconsistent implementations and gaps in visibility.
Vulnerabilities came with a change in the software, with notable CVEs in 2025 allowing for unauthenticated activities to occur. Additionally, new tools bring higher chances of misconfigurations and unreviewed logs, creating blind spots that threat actors can exploit.
Vulnerabilities are only one of the risks
Like most software, RDP saw multiple vulnerabilities disclosed in 2025, including CVE-2025-48817, CVE-2025-29966, CVE-2025-29967, and CVE-2025-27487.
While many of these were rated critical, the reality is that most RDP-related breaches don't rely on vulnerabilities in the software. Instead, they exploit weak credentials with insufficient monitoring.
Initial Access Brokers (IABs) also play a significant role in the cybercrime landscape. These actors specialize in obtaining and selling access to previously compromised environments, often through previously harvested credentials.
Additionally, credential-stealing malware, such as LummaStealer and Venom Stealer, is commonly used to extract stored RDP credentials from browsers and system registries. These credentials are then collated and sold to other threat actors as a means of entry.
As organizations move away from frequent password rotation in favor of multi-factor authentication (MFA), products that don’t utilize MFA natively can leave behind a trail of valid, dormant credentials. Threat actors take advantage of this by purchasing large credential sets and testing them at scale. In these cases, organizations are not specifically targeted but simply accessible.
Why RDP remains an ideal attack vector
Given its universal use, large attack surface, and predictable standard configurations across organizations, threat actors find RDP an easy 'in' to a network.
By default, users are unable to add any multi-factor authentication to an RDP system without additional products added on. As such, brute force attacks are quite common and, without consistent monitoring, usually go undetected.
Basic protections are also frequently missing. Since most Windows operating systems ship with no configuration, organizations need to configure an account lockout policy to stop this type of activity.
Individually, these gaps seem minor, but they add up to make RDP a prime target for threat actors.
Reducing RDP-related risks
If your organization is using RDP for remote access, the following measures can help reduce risk. While these are not complete fixes for an exposed RDP interface, they significantly improve security posture:
- Harden the endpoints connecting to your environment, be it a laptop, desktop, or mobile device, utilizing Intune to harden and trust devices. Then add enforced device compliance policies to only allow up to date, trusted devices to connect via RDP.
- Utilize a virtual private network (VPN) through an edge device to introduce an additional authentication layer prior to allowing RDP communication. The network channel will also be encrypted, reducing the chance of in-transit interception. Further network blocks can be enabled on the VPN, such as geo-fencing, allowlisting, or traffic inspection.
- RD Gateway is an alternative way to securely proxy external clients and internal RDP hosts. Utilizing HTTPS protocols and access policies can allow for a reduced risk of reconnaissance and a more targeted approach to access. RD Gateway can provide further logging and auditing capabilities that security teams can monitor for anomalous activity.
