Microsoft has confirmed that its Remote Desktop Protocol (RDP) allows users to log into Windows machines using passwords that have already been changed or revoked.
A Microsoft spokesperson confirmed the company has been aware of the issue since at least August 2023, but maintains that changing the behavior could break compatibility with existing applications.
Changing your Microsoft or Azure password does not immediately revoke RDP access for old credentials.
There are no clear alerts or warnings when old passwords are used for RDP logins.
Microsoft’s security tools, including Defender and Azure, do not flag this behavior.
From the article:
Compatibility over security. Genius