A important vulnerability in Microsoft’s Distant Desktop Gateway (RD Gateway) that might permit attackers to execute malicious code on affected methods remotely.
The vulnerability, tracked as CVE-2025-21297, was disclosed by Microsoft of their January 2025 safety updates and has since been actively exploited within the wild.
The flaw, found and reported by VictorV (Tang Tianwen) from Kunlun Lab, stems from a use-after-free (UAF) bug triggered by concurrent socket connections throughout the initialization of the Distant Desktop Gateway service.
Particularly, the vulnerability exists within the aaedge.dll library, throughout the CTsgMsgServer::GetCTsgMsgServerInstance operate, the place a world pointer (m_pMsgSvrInstance) is initialized with out correct thread synchronization.
“The vulnerability happens when a number of threads can overwrite the identical world pointer, corrupting reference counts and finally resulting in the dereferencing of a dangling pointer – a traditional UAF situation,” explains the safety advisory.
The race situation permits attackers to use a timing challenge the place reminiscence allocation and pointer task happen out of sync, doubtlessly resulting in arbitrary code execution. Microsoft has assigned the vulnerability a CVSS rating of 8.1, indicating excessive severity.
Home windows Distant Desktop Gateway UAF Vulnerability
In response to researchers, profitable exploitation requires an attacker to:
Connect with a system working the RD Gateway function.
Set off concurrent connections to the RD Gateway (through a number of sockets).
Exploit the timing challenge the place reminiscence allocation and pointer task happen out of sync.
Trigger one connection to overwrite the pointer earlier than one other finishes referencing it.
The exploit entails a nine-step timeline of heap collisions between threads, resulting in eventual use of a freed reminiscence block, opening the door for arbitrary code execution.
A number of variations of Home windows Server that make the most of RD Gateway for safe distant entry are susceptible, together with:
Home windows Server 2016 (Core and Commonplace installations).
Home windows Server 2019 (Core and Commonplace installations).
Home windows Server 2022 (Core and Commonplace installations).
Home windows Server 2025 (Core and Commonplace installations).
Organizations utilizing RD Gateway as a important entry level for workers, contractors, or companions working remotely are notably in danger.
Microsoft addressed the vulnerability in Might 2025 Patch Tuesday by introducing mutex-based synchronization, guaranteeing that just one thread can initialize the worldwide occasion at any given time. The next safety updates can be found:
Home windows Server 2016: Replace KB5050011.
Home windows Server 2019: Replace KB5050008 (Construct 10.0.17763.6775).
Home windows Server 2022: Replace KB5049983 (Construct 10.0.20348.3091).
Home windows Server 2025: Replace KB5050009 (Construct 10.0.26100.2894).
Safety specialists strongly urge organizations to use these patches instantly. “This vulnerability represents a important danger to enterprise environments that depend on Distant Desktop Gateway for safe distant entry,” famous a safety researcher conversant in the difficulty.
Till patches will be utilized, organizations are suggested to observe RD Gateway logs for uncommon exercise and contemplate implementing network-level protections to restrict incoming connections to trusted sources.
Vulnerability Assault Simulation on How Hackers Quickly Probe Web sites for Entry Factors – Free Webinar
