We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

NewApp Digest
search bot

Windows Remote Desktop Gateway UAF Vulnerability Allows Remote Code Execution

May 19, 2025

A critical vulnerability has emerged within Microsoft’s Remote Desktop Gateway (RD Gateway), presenting a significant risk to systems that rely on this service for secure remote access. This flaw, designated as CVE-2025-21297, was unveiled in Microsoft’s January 2025 security updates and has already been observed in active exploitation scenarios.

The vulnerability was identified by VictorV (Tang Tianwen) from Kunlun Lab, stemming from a use-after-free (UAF) bug that is triggered by concurrent socket connections during the initialization phase of the RD Gateway service. Specifically, the issue resides in the aaedge.dll library, particularly within the CTsgMsgServer::GetCTsgMsgServerInstance function. Here, a global pointer, m_pMsgSvrInstance, is initialized without adequate thread synchronization.

As detailed in the security advisory, “The vulnerability occurs when multiple threads can overwrite the same global pointer, corrupting reference counts and ultimately leading to the dereferencing of a dangling pointer – a classic UAF scenario.” This race condition allows attackers to exploit a timing issue where memory allocation and pointer assignment become desynchronized, which can potentially lead to arbitrary code execution. Microsoft has assigned a CVSS score of 8.1 to this vulnerability, indicating its high severity.

Windows Remote Desktop Gateway UAF Vulnerability

Researchers have outlined the steps required for successful exploitation:

  1. Connect to a system that is running the RD Gateway role.
  2. Initiate concurrent connections to the RD Gateway through multiple sockets.
  3. Exploit the timing issue where memory allocation and pointer assignment are out of sync.
  4. Cause one connection to overwrite the pointer before another connection completes its reference to it.

This exploit unfolds through a nine-step sequence of heap collisions among threads, ultimately leading to the utilization of a freed memory block, thereby paving the way for arbitrary code execution.

Multiple versions of Windows Server that employ RD Gateway for secure remote access are affected, including:

  • Windows Server 2016 (Core and Standard installations).
  • Windows Server 2019 (Core and Standard installations).
  • Windows Server 2022 (Core and Standard installations).
  • Windows Server 2025 (Core and Standard installations).

Organizations that utilize RD Gateway as a vital access point for employees, contractors, or partners working remotely face heightened risks.

In response to this vulnerability, Microsoft released a fix during the May 2025 Patch Tuesday, implementing mutex-based synchronization to ensure that only one thread can initialize the global instance at any given time. The following security updates are now available:

  • Windows Server 2016: Update KB5050011.
  • Windows Server 2019: Update KB5050008 (Build 10.0.17763.6775).
  • Windows Server 2022: Update KB5049983 (Build 10.0.20348.3091).
  • Windows Server 2025: Update KB5050009 (Build 10.0.26100.2894).

Security experts are urging organizations to implement these patches without delay. “This vulnerability represents a critical risk to enterprise environments that rely on Remote Desktop Gateway for secure remote access,” remarked a security researcher familiar with the situation.

In the interim, organizations are advised to monitor RD Gateway logs for any unusual activity and consider implementing network-level protections to restrict incoming connections to trusted sources.

Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar

Winsage