Are disconnected remote desktop sessions still vulnerable to tscon hijacking?

Yes, if a remote user simply disconnects (closes the RDP window without logging off), the session remains active in a 'Disconnected' state. An attacker with System privileges can still use `tscon` to connect to that session without a password, as demonstrated in the article. This highlights why users should always log off instead of disconnecting.