If the victim’s network has vulnerable equipment, it could result in an attacker gaining the ability to move laterally and infect Windows domain controllers with malicious software.
How can attackers exploit the flaw?
An attacker can exploit this vulnerability by launching a man-in-the-middle (MITM) attack to execute remote commands when users are trying to authenticate during RDP or WinRM sessions. Once a CredSSP session occurs, the attackers can steal session authentication and perform a Remote Procedure Call (DCE/RPC) attack on the server that the user originally connected to. Once the attacker has gained privileged access to the system, they can run different commands and install payloads with local admin privileges.
This attack could be mounted through many scenarios, including:
An Attacker with WiFi or Physical Access
If an attacker has physical access to your network, then they could easily launch a MITM attack. You might also be vulnerable to attacks like KRACK, making all machines that do RDP via WiFi exposed to this new attack.
Address Resolution Protocol (ARP) Poisoning
This vulnerability means an attacker with control of one machine could easily move laterally and infect all machines in the same network segment.