RMM, RDS, and Citrix: When the Remote Access Tool Is the Threat

Remote Monitoring and Management (RMM) and Remote Desktop Services (RDS) were never meant to be security risks. They were created to solve a fundamental logistical problem: IT administrators cannot be in two places at once. Born from the need to move beyond the manual "break-fix" model of the 1990s, these tools were designed to allow centrally located teams to proactively monitor system health, automate patches, and provide hands-on support to global fleets without the cost of travel.

While these tools have been staples of IT departments for decades, the COVID-19 pandemic and the subsequent "Work From Home" revolution acted as a massive catalyst for their adoption. Before 2020, frequent telecommuting was a privilege for a small fraction of the workforce; by late 2025, hybrid and remote models have become the permanent standard for over 70% of remote-capable jobs. This explosion in use has turned RMM and RDS into the universal keys to the enterprise kingdom. Attackers have taken notice.

The numbers confirm it. Sophos's Active Adversary Report found RDP involved in 89% of incident response cases in 2024, the highest rate Sophos has recorded since it began tracking this metric. Over 4.4 million RDP instances are publicly reachable on the internet at any moment, according to Shodan. And even organizations that apply six or more hardening controls — VPN, MFA, NLA, jump servers, session recording, monitoring - still report a 30% incident rate. The tools themselves have become the attack surface.

1. Zero-Days in the Foundation: Windows RasMan (CVE-2026-21525)

In February 2026, Microsoft issued an emergency patch for a zero-day vulnerability in the Windows Remote Access Connection Manager (RasMan). [LINK: https://nvd.nist.gov/vuln/detail/CVE-2026-21525]

The Threat: Tracked as CVE-2026-21525, this flaw allows attackers to trigger a Denial-of-Service (DoS) by sending malformed input to the RasMan service.

The Impact: Because RasMan handles VPN and dial-up connections, an exploit can paralyze remote connectivity for an entire organization. For a business reliant on remote work, this zero-day represents a total operational off-switch.

2. Authentication Bypasses and Information Leaks

Legitimate RMM tools have recently faced critical vulnerabilities that allow attackers to sidestep security protocols:

TeamViewer (CVE-2026-23572): A high-severity (CVSS 7.2) vulnerability was discovered in TeamViewer Full and Host clients.  It allows an authenticated user to bypass the "Allow after confirmation" setting. If an attacker gains initial session access, they can take full control of the machine without the local user ever seeing a "Permit" prompt.

AnyDesk (CVE-2024-52940 and CVE-2024-12754): Recent flaws in AnyDesk exposed public IP addresses even when "Direct Connections" were supposedly restricted. More critically, CVE-2024-12754 allowed low-privileged local users to read arbitrary files and disclose stored credentials, turning a simple remote access utility into a tool for privilege escalation.

ConnectWise ScreenConnect (CVE-2024-1709): This remains a landmark case where a CVSS 10.0 authentication bypass allowed attackers to create administrative accounts on publicly exposed instances, leading to immediate Remote Code Execution (RCE).

Citrix NetScaler (CVE-2026-3055): In March 2026, a CVSS 9.3 out-of-bounds memory read vulnerability in Citrix NetScaler ADC and NetScaler Gateway was confirmed under active exploitation and added to CISA's Known Exploited Vulnerabilities catalog. The flaw targets appliances configured as SAML Identity Providers, allowing unauthenticated attackers to extract active session tokens directly from memory. No code execution is required. A public Metasploit module is now available. Federal agencies faced a patch deadline of April 2, 2026, and exploitation is ongoing. The Citrix case illustrates a pattern that repeats across gateway-dependent architectures: a device that must be reachable to function will eventually be reachable to attackers.

3. The Rise of RMM Abuse

It is important to distinguish between a RAT (Remote Access Trojan), which is inherently malicious software, and the adversarial abuse of legitimate RMM tools.

Ransomware gangs like LockBit, Black Basta, and Hunters International are increasingly skipping the Trojan and going straight for "clean" software. By using tools like AnyDesk or Splashtop, they achieve several goals:

Stealth: Because these tools are signed and legitimate, they often bypass EDR (Endpoint Detection and Response) and antivirus signatures.

Persistence: Attackers use silent installation flags (e.g., --silent or --install) to deploy these tools as background services, giving them a permanent, "legal" backdoor.

Bypassing the Perimeter: Many organizations whitelist RMM traffic. Attackers exploit this trusted status to move laterally and exfiltrate data without triggering alarms.

4. Exploiting Legacy RDS: The KillSec Case and the RDP Problem

Legacy infrastructure remains the primary target for groups like KillSec. In late 2025, they targeted a major healthcare provider by exploiting unpatched, legacy Remote Desktop Protocol (RDP) vulnerabilities. By exploiting outdated RDP components, they bypassed modern security layers to deploy dual-stage ransomware, proving that old software is often the easiest key for a new lock.

But the RDP problem is not limited to unpatched legacy systems. In April 2026, Microsoft released an emergency update (KB5082200 for Windows 10, KB5083769 for Windows 11) introducing new warnings for malicious .RDP files. [LINK: https://www.theregister.com/2026/04/24/remote_desktop_security_beefed_up/] The update was a direct response to a large-scale campaign by Russian state-sponsored group APT29, which used weaponized RDP configuration files to compromise more than 100 organizations across 23 countries. APT29 sent signed .RDP files via spear-phishing emails; when opened, the files silently connected victims to attacker-controlled servers and redirected local drives, clipboard contents, and authentication mechanisms including smart cards and Windows Hello. The update addresses .RDP file execution only. Direct RDP client connections, protocol-level vulnerabilities, and lateral movement via RDP are unchanged.

RDP's structural problem is not a patching problem. It is an architectural one. RDP is IP-based by design. It requires an open TCP/IP connection, typically on port 3389. That port is the most-scanned port on the internet. Every gateway that must be reachable to function is, by definition, reachable to attackers. CVE-2019-0708 (BlueKeep, CVSS 9.8) required no authentication and is still appearing in active exploitation reports seven years after Microsoft issued the patch. [LINK: https://nvd.nist.gov/vuln/detail/CVE-2019-0708] CVE-2024-43582 allowed unauthenticated remote code execution on RDP servers and was actively exploited in the wild. [LINK: https://nvd.nist.gov/vuln/detail/CVE-2024-43582] No configuration change eliminates these risks. The attack surface is the architecture itself.

How to Protect Your Perimeter

At Zeroport, our position is that a signed tool is not a safe tool. To defend against RMM and RDS exploitation, we recommend:

Monitor Command-Line Activity: Set alerts for silent install parameters (e.g., STARTWITHWINDOWS=1, SILENT=1) from common RMM vendors.

Enforce MFA for Every Tool: Multi-Factor Authentication remains a strong barrier to unauthorized session entry. Note that MFA does not stop zero-day protocol exploitation or lateral movement once an attacker is inside the network.

Harden and Patch Aggressively: Move beyond "Patch Tuesday." Critical RMM flaws like the 2026 RasMan zero-day and Citrix CVE-2026-3055 should be patched within 24 to 72 hours. CISA's Known Exploited Vulnerabilities catalog is the authoritative signal for prioritization.

Shadow IT Discovery: Regularly audit your network for rogue RMM tools. If your team uses ScreenConnect, any instance of TeamViewer or AnyDesk should be treated as a potential indicator of compromise.

Disable Direct Connections: For tools like AnyDesk, disable "Direct Connections" and use restricted IDs to prevent IP leakage.

Know Your Regulatory Obligations: NIS2 is now in active enforcement across the EU, with the first administrative penalties issued in Q1 2026. DORA entered its active enforcement phase at the same time, with auditors specifically examining remote access controls and third-party vendor access. Deploying a VPN or APN does not, on its own, satisfy NIS2's requirement for "demonstrable control." Auditors are asking for evidence of access governance, session recording, and blast-radius limitation. Organizations in scope for either framework should review their remote access architecture now, not when an audit notice arrives.

Consider Architectural Isolation: Layered controls reduce exposure but cannot eliminate the IP-based attack surface that RMM and RDS depend on. Hardware-enforced, non-IP remote access removes the network path entirely. When only pixels leave the protected environment and only keyboard and mouse inputs enter, there is no protocol to exploit, no credential to steal in transit, and no lateral movement path available to an attacker who gains session access.

‍Want to see how Zeroport can eliminate the Remote Access risk? Book a demo today.

‍

‍