CVE-2022-24883

critical

Published — · Modified —

CVSS v3

—

CVSS v2

—

VIR risk

9.5

Description

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2022-24883

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2022-24883.html

OS impact

OS	Version	Status	Fixed in
arch		fixed	`2:2.7.0-1`
sles		affected
debian	bookworm	fixed	`2.7.0+dfsg1-1`
debian	bullseye	fixed	`2.3.0+dfsg1-2+deb11u2`

References

Verify integrity in audit chain (admin only). AS-IS.