A critical vulnerability in Microsoft\u2019s Remote Desktop Gateway (RD Gateway) that could allow attackers to execute malicious code on affected systems remotely.<\/p>\n
The vulnerability, tracked as CVE-2025-21297<\/a>, was disclosed by Microsoft in their January 2025 security updates and has since been actively exploited in the wild.<\/p>\n The flaw, discovered and reported by VictorV (Tang Tianwen) from Kunlun Lab, stems from a use-after-free (UAF) bug triggered by concurrent socket connections during the initialization of the Remote Desktop Gateway service.<\/p>\n Specifically, the vulnerability exists in the aaedge.dll library, within the CTsgMsgServer::GetCTsgMsgServerInstance function, where a global pointer (m_pMsgSvrInstance) is initialized without proper thread synchronization.<\/p>\n \u201cThe vulnerability occurs when multiple threads can overwrite the same global pointer, corrupting reference counts and ultimately leading to the dereferencing of a dangling pointer \u2013 a classic UAF scenario,\u201d explains the security advisory<\/a>.<\/p>\n The race condition allows attackers to exploit a timing issue where memory allocation and pointer assignment occur out of sync, potentially leading to arbitrary code execution. Microsoft has assigned the vulnerability a CVSS score of 8.1, indicating high severity.<\/p>\n According to researchers, successful exploitation requires an attacker to:<\/p>\n The exploit involves a nine-step timeline of heap collisions between threads, leading to eventual use of a freed memory block, opening the door for arbitrary code execution.<\/p>\n Multiple versions of Windows Server that utilize RD Gateway for secure remote access are vulnerable, including:<\/p>\n Organizations using RD Gateway as a critical access point for employees, contractors, or partners working remotely are particularly at risk.<\/p>\n Microsoft addressed the vulnerability in May 2025 Patch Tuesday<\/a> by introducing mutex-based synchronization, ensuring that only one thread can initialize the global instance at any given time. The following security updates are available:<\/p>\n Security experts strongly urge organizations to apply these patches immediately. \u201cThis vulnerability represents a critical risk to enterprise environments that rely on Remote Desktop Gateway for secure remote access,\u201d noted a security researcher familiar with the issue.<\/p>\n Until patches can be applied, organizations are advised to monitor RD Gateway logs for unusual activity and consider implementing network-level protections to limit incoming connections to trusted sources.<\/p>\n Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points \u2013 Free Webinar<\/a><\/strong><\/p>\n The post Windows Remote Desktop Gateway UAF Vulnerability Allows Remote Code Execution<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nWindows Remote Desktop Gateway UAF Vulnerability<\/strong><\/h2>\n
\n
\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh2aMpY6xWDg531M3aQWOBaj8fByuzm7YBdWzX4kLhe7B_eeSLYx8QG8sNcBKfQtBHWutswBlIBvtMOcOpWS81py0EDhg6nojIoN0Cl4KgdbMEdYjPp2cXVM3pVp7utmtGsBzthPxlCKkSwyjRhhNG5hRXc2_-ujAMuMUcUAOvKVrdK6UJ6JkLGHCldzz-F\/w640-h458\/remote%2520desktop%2520services.webp?ssl=1\")
<\/figure>\n<\/div>\n\n