Microsoft has revived the Remote Desktop Connection Manager (RDCMan) app that was deprecated last year due to an important severity information disclosure bug the company decided not to fix.
RDCMan is a Windows RDP (Remote Desktop Protocol) client used by system admins to manage multiple remote desktop connections.
After discontinuing the app, Microsoft advised customers to switch to Windows built-in Remote Desktop Connection (%windir%\system32\mstsc.exe) or the universal Remote Desktop client.
An information disclosure vulnerability exists in the Remote Desktop Connection Manager (RDCMan) application when it improperly parses XML input containing a reference to an external entity, Microsoft explained in the March 2020 security advisory.
An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration.
Attackers could exploit the bug (tracked as CVE-2020-0765) by tricking authenticated targets into opening RDG files containing maliciously crafted XML content.