Recent reports have highlighted RDP vulnerabilities through a significant surge in coordinated scanning activity targeting Microsoft Remote Desktop Protocol (RDP) authentication servers, raising serious concerns about the security of this widely used remote access tool. According to internet intelligence firm GreyNoise, nearly 1,971 IP addresses, predominantly originating from Brazil, were observed probing Microsoft Remote Desktop Web Access and RDP Web Client authentication portals in a highly synchronized campaign.
This activity, detected on August 21, 2025, suggests a coordinated reconnaissance effort, potentially signaling the discovery of a new vulnerability or preparation for a larger attack. Notably, this botnet is believed to be the same one responsible for a massive attack across the United States in February 2025, which targeted Microsoft 365 accounts with password-spray attacks using over 130,000 compromised devices.
The Persistent RDP Vulnerabilities
RDP, developed by Microsoft, has long been a staple for remote access, enabling users to control virtual desktops over a network. Howeverare not new. Historical data shows millions of RDP endpoints exposed online, with over 4.1 million devices speaking the RDP protocol detected in a 2017 scan by Rapid7. Weak passwords, lack of multi-factor authentication (MFA), and direct internet exposure exacerbate these risks. Even when configured on non-standard ports, RDP remains a frequent entry point for attacks, as seen in past ransomware campaigns like Venus and Dharma, which exploited publicly accessible RDP services.
Moreover, the February 2025 attack linked to this Brazilian botnet demonstrated its sophistication, using compromised devices to distribute login attempts across numerous IPs to evade detection. This highlights RDP’s inadequacy against modern, distributed threats, especially when basic authentication methods are still in use, underscoring ongoing RDP vulnerabilities.
Why RDP Falls Short in Today’s Threat Landscape
The core issue with RDP lies in its outdated security model. While it supports secure protocols like CredSSP, its reliance on proper configuration—strong passwords, firewalls, and access control lists—places a heavy burden on administrators. Even minor misconfigurations can expose systems to brute-force attacks, credential theft, or remote code execution (RCE), as seen in the 2020 BlueGate vulnerabilities (CVE-2020-0609 and CVE-2020-0610), which affected Windows Server RDP Gateway components.
Additionally, RDP’s design does not align with the principles of modern cybersecurity frameworks like Zero Trust, which assume no inherent trust in any user or device. Exposed RDP servers are particularly vulnerable to botnets, which can scan and exploit timing flaws or weak credentials at scale, as evidenced by the recent surge and the February 2025 attack. With 80% of technology-focused scanning spikes preceding new vulnerability disclosures within six weeks, the current activity could foreshadow a significant RDP vulnerabilities-related security flaw.
Modern Alternatives: SASE and ZTNA
To address RDP vulnerabilities, organizations should consider transitioning to more secure, modern solutions like Secure Access Service Edge (SASE) and Zero Trust Network Access (ZTNA). These frameworks offer robust alternatives that align with today’s dynamic threat environment:
- SASE: SASE integrates network security functions, such as secure web gateways, firewall-as-a-service, and cloud access security brokers, with wide-area networking capabilities. It provides secure, scalable access to resources regardless of user location, reducing the attack surface by eliminating the need for exposed RDP ports. By leveraging cloud-based security and identity verification, SASE ensures consistent protection without relying on traditional VPNs, which can still expose vulnerabilities similar to RDP.
- ZTNA: Zero Trust Network Access operates on the principle of “never trust, always verify.” ZTNA authenticates every user and device, granting access only to specific applications or resources after rigorous verification. Unlike RDP, which often relies on basic credentials, ZTNA enforces continuous authentication and micro-segmentation, ensuring that even compromised credentials cannot lead to lateral movement within a network. This approach significantly reduces the risks associated with exposed RDP services.
Both SASE and ZTNA offer dynamic, identity-driven access controls that adapt to modern threats, unlike RDP’s static, perimeter-based security model. They also support MFA and encryption by default, addressing RDP vulnerabilities’ common configuration pitfalls.
Recommendations for Securing Remote Access
While transitioning to SASE or ZTNA is ideal, organizations still using RDP can take immediate steps to mitigate RDP vulnerabilities:
- Enable Multi-Factor Authentication (MFA): Microsoft research indicates that MFA can prevent 99.9% of account-based attacks. Ensure all RDP accounts require MFA to block unauthorized access.
- Use a VPN or Firewall: Place RDP servers behind a VPN or firewall with strict access control lists to limit exposure to the public internet. Make sure you are using a next generation firewall with content filtering and encryption scanning.
- Monitor and Update: Regularly monitor Entra ID logs for signs of unusual activity, such as multiple failed login attempts from different IPs, and promptly apply security updates to address known RDP vulnerabilities.
- Consider Non-Standard Ports: While not foolproof, using non-standard ports for RDP can reduce the likelihood of automated scans, though this was ineffective for some victims of past attacks.
However, these measures are temporary fixes. The persistent targeting of RDP, as seen in the recent Brazilian botnet campaign and the February 2025 attack, underscores the need for a fundamental shift to more secure architectures.
Time to Move Beyond RDP
The coordinated scans detected in August 2025, coupled with the botnet’s prior attack in February, serve as a stark reminder of RDP vulnerabilities. Its reliance on proper configuration and exposure to internet-based attacks make it a liability in today’s threat landscape. Modern solutions like SASE and ZTNA provide scalable, secure alternatives that align with Zero Trust principles, offering robust protection against sophisticated botnets and reconnaissance campaigns.
Organizations should evaluate their remote access strategies and prioritize solutions that minimize attack surfaces and enforce continuous verification. As cybercriminals continue to exploit RDP vulnerabilities, clinging to this outdated protocol could prove costly. Isn’t it time to rethink your RDP usage and embrace a more secure future?
Click here to read more blog articles.