- May 21, 2025
Critical Vulnerability Microsoft Remote Desktop Gateway (CVE-2025-21297)
On January 12th, 2025, Microsoft published an advisory regarding a critical vulnerability in their Remote Desktop Services product. The vulnerability is due to a race condition that can lead to memory corruption. If successfully exploited, an attacker can achieve remote code execution (RCE) on a victim server.
Executive Summary
On January 12th, 2025, Microsoft published an advisory regarding a critical vulnerability in their Remote Desktop Services product. The vulnerability is due to a race condition that can lead to memory corruption. If successfully exploited, an attacker can achieve remote code execution (RCE) on a victim server.
Remote Desktop Service gateways are deployed internet facing by design, so successful compromise of an affected server would provide threat actors initial access into an organization’s network. At the time of disclosure, there were no publicly available proof-of-concept (PoC) exploits, nor were there any detailed technical writeups of the vulnerability. On May 15th, however, a researcher published an article providing enough detail of vulnerability for competent readers to create weaponized exploits.
There are, at the time of writing, no publicly reported instances of this vulnerability being exploited in the wild. Additionally, CISA has not included this vulnerability in their Known Exploited Vulnerabilities (KEV) catalogue. However, given the newly available technical analysis, well resourced, financially motivated threat actors could develop weaponized exploits in the coming days, and Beazley Security recommends affected organizations update their systems as soon as possible.
Affected Systems or Products
This vulnerability impacts the Microsoft Windows Remote Desktop Services system (also referred to as Remote Desktop Gateway or RD Gateway).
Affected System | Affected Versions | Solution |
|---|---|---|
Windows Server 2012 R2 (Server Core installation) | <6.3.9600.22371 | |
Windows Server 2012 R2 | <6.3.9600.22371 | |
Windows Server 2012 (Server Core installation) | <6.2.9200.25273 | |
Windows Server 2012 | <6.2.9200.25273 | |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | <6.1.7601.27520 | |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 | <6.1.7601.27520 | |
Windows Server 2016 (Server Core installation) | <10.0.14393.7699 | |
Windows Server 2016 | <10.0.14393.7699 | |
Windows Server 2025 | <10.0.26100.2894 | |
Windows Server 2022, 23H2 Edition (Server Core installation) | <10.0.25398.1369 | |
Windows Server 2025 (Server Core installation) | <10.0.26100.2894 | |
Windows Server 2022 (Server Core installation) | <10.0.20348.3091 | |
Windows Server 2022 | <10.0.20348.3091 | |
Windows Server 2019 (Server Core installation) | <10.0.17763.6775 | |
Windows Server 2019 | <10.0.17763.6775 |
Mitigations / Workarounds
Microsoft has released patches to fix this vulnerability. It is strongly recommended that these security updates be applied. If the patches cannot be applied, organizations should consider taking the following precautions:
Block inbound access to RD Gateway services at the network perimeter.
Limit access to known, trusted network addresses only.
Disable Remote Desktop Gateway Windows features within Server Manager if they’re not necessary, or temporarily disable them until patching can be applied.
Beazley Security recommends affected organizations monitor for any unauthorized, unexpected remote connection sessions, and enforce strong network-level access controls and multifactor authentication (MFA) for any RD Gateway implementations.
Patches
Microsoft has released patches for this vulnerability that harden the affected aaedge.dll file against the use-after-free attack. Beazley Security recommends visiting Microsoft’s Update Guide to download the relevant cumulative update or security patch for impacted servers and products.
Technical Details
CVE-2025-21297 is a race condition that can lead to a use-after-free flaw in Microsoft’s RD Gateway service, specifically impacting the aaedge.dll library. Exploitation involves an attacker sending carefully timed, concurrent connections to the RD Gateway server to create the race condition.
The first connection triggers an initialization of data objects in memory, while additional connection attempts create multiple threads that simultaneously try to access and misuse the already instantiated object memory. Since the function CTsgMsgServer::GetCTsgMsgServerInstance does not properly lock or synchronize access to the shared objects in memory when multiple threads manipulate it at the same time, otherwise standard memory operations will cause the object to enter inconsistent states. Most of the time this will simply cause crashes, but careful manipulation of the memory can lead to remote code execution.
Successful exploitation provides an attacker remote code execution under the context of NT Service\RemoteDesktopGateway, or a system-level service.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MXDR environment to detect potential exploitation attempts against our clients.