Remote Access and Admin tools leave the door open

Remote Monitoring and Management (RMM) and Remote Desktop Services (RDS) were never meant to be security risks. They were created to solve a fundamental logistical problem: IT administrators cannot be in two places at once. Born from the need to move beyond the manual "break-fix" model of the 1990s, these tools were designed to allow centrally located teams to proactively monitor system health, automate patches, and provide hands-on support to global fleets without the cost of travel.

While these tools have been staples of IT departments for decades, the COVID-19 pandemic and the subsequent "Work From Home" revolution acted as a massive catalyst for their adoption. Before 2020, frequent telecommuting was a privilege for a small fraction of the workforce; by late 2025, hybrid and remote models have become the permanent standard for over 70% of remote-capable jobs. This explosion in use has turned RMM and RDS into the universal keys to the enterprise kingdom- and unfortunately, attackers have taken notice.

1. Zero-Days

Legitimate RMM tools have recently faced critical vulnerabilities that allow attackers to sidestep security protocols.

In February 2026, Microsoft issued an emergency patch for a zero-day vulnerability in the Windows Remote Access Connection Manager (RasMan).

• The Threat: Tracked as CVE-2026-21525, this flaw allows attackers to trigger a Denial-of-Service (DoS) by sending malformed input to the RasMan service.
• The Impact: Because RasMan handles VPN and dial-up connections, an exploit can paralyze remote connectivity for an entire organization. For a business reliant on remote work, this zero-day represents a total operational "off-switch."

‍TeamViewer (CVE-2026-23572): A high-severity (CVSS 7.2) vulnerability was discovered in TeamViewer Full and Host clients. It allows an authenticated user to bypass the "Allow after confirmation" setting. If an attacker gains initial session access, they can take full control of the machine without the local user ever seeing a "Permit" prompt.

AnyDesk (CVE-2024-52940 & CVE-2024-12754): Recent flaws in AnyDesk have exposed public IP addresses even when "Direct Connections" were supposedly restricted. More critically, CVE-2024-12754 allowed low-privileged local users to read arbitrary files and disclose stored credentials, turning a simple remote access utility into a tool for privilege escalation.

ConnectWise ScreenConnect (CVE-2024-1709): This remains a landmark case where a CVSS 10.0 authentication bypass allowed attackers to create administrative accounts on publicly exposed instances, leading to immediate Remote Code Execution (RCE).

2. The Rise of "RMM Abuse"

Ransomware gangs like LockBit, Black Basta, and Hunters International are increasingly skipping the Trojan and going straight for the "clean" software. By using tools like AnyDesk or Splashtop, they achieve several goals:

• Stealth: Because these tools are signed and legitimate, they often bypass EDR (Endpoint Detection and Response) and antivirus signatures.
• Persistence: Attackers use "silent" installation flags (e.g., --silent or --install) to deploy these tools as background services, giving them a permanent, "legal" backdoor.
• Bypassing the Perimeter: Many organizations whitelist RMM traffic. Attackers exploit this "trusted" status to move laterally and exfiltrate data without triggering alarms.

Legacy infrastructure remains the primary target for groups like KillSec. In late 2025, they targeted a major healthcare provider by exploiting unpatched, legacy Remote Desktop Protocol (RDP) vulnerabilities. By leveraging outdated RDP components, they bypass modern security layers to deploy "dual-stage" ransomware, proving that "old" software is often the easiest key for a new lock.

3. The cure? remove these remote access tools

Legacy Remote Access tools create an inherant risk to your organization.

Don't let your "admin" tools become the persistent backdoor for an adversary. It's time to move from software that can be bypassed to hardware that physically cannot be reached.

Want to see how Zeroport can eliminate the Remote Access risk? Book a demo today.

‍

‍