PatchSiren cyber security CVE debrief

CVE-2005-1794 Microsoft CVE debrief

CVE-2005-1794 is a legacy Microsoft Remote Desktop Protocol (RDP) issue in which RDP 5.2 stored an RSA private key in mstlsapi.dll and used it to sign a certificate. That design flaw could let a remote attacker spoof the public key of a legitimate server and conduct man-in-the-middle interception of RDP sessions. The issue is historical, but it remains relevant anywhere older Terminal Services or RDP 5.2 components are still present.

Vendor: Microsoft
Product: Windows Terminal Services
CVSS: MEDIUM 6.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2005-06-01
Original CVE updated: 2026-04-16
Advisory published: 2005-06-01
Advisory updated: 2026-04-16

Who should care

Organizations that still operate Microsoft Terminal Services or other legacy RDP 5.2 deployments, especially administrators of remote access infrastructure, endpoint teams, and defenders responsible for certificate and session trust on Windows systems.

Technical summary

According to the NVD record and linked vendor/advisory references, the vulnerable implementation in Microsoft Terminal Server using RDP 5.2 kept an RSA private key in mstlsapi.dll. Because that key was available to the component that generated/signs the certificate, an attacker could potentially impersonate the expected server key material and intercept or alter traffic in a man-in-the-middle position. The affected CPEs listed by NVD include Microsoft Remote Desktop Connection 5.1.2600.2180 on Windows XP and Microsoft Windows Terminal Services using RDP 5.2.

Defensive priority

Medium priority for any environment that still exposes or depends on the affected legacy RDP stack; lower urgency for organizations that have already eliminated RDP 5.2 from production. The main risk is session interception and server impersonation rather than service disruption.

Recommended defensive actions

Inventory systems for the affected Microsoft RDP/Terminal Services versions listed in NVD.
Treat any remaining RDP 5.2 deployment as legacy and high-risk from a trust perspective.
Follow Microsoft/vendor guidance referenced in the advisory materials and replace or update vulnerable components where supported.
Restrict remote access exposure with network controls, VPNs, and strong authentication while legacy systems are being retired.
Validate certificate and server identity controls for remote administration paths to reduce MITM risk.
Prioritize remediation if the affected stack is still reachable from untrusted networks.

Evidence notes

The vulnerability description, CVSS vector (AV:N/AC:L/Au:N/C:P/I:P/A:N), and affected Microsoft CPEs come from the NVD record. The MITRE-linked vendor advisory reference explicitly points to the RDP GBU advisory PDF, and the public references also include Secunia, SecurityFocus, ICS-CERT, and OVAL entries. No KEV listing is present in the supplied enrichment data.

Official resources

CVE-2005-1794 CVE record
CVE.org
CVE-2005-1794 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

CVE published 2005-06-01; supplied NVD record last modified 2026-04-16. No CISA KEV entry is indicated in the supplied data.