Analysis Summary

A critical remote code execution vulnerability, CVE-2025-21297, was disclosed by Microsoft in January 2025 and patched in May 2025. This high-severity flaw affects Microsoft’s Remote Desktop Gateway (RD Gateway) and is actively being exploited in the wild. It was discovered by security lab and arises from a use-after-free (UAF) bug in the aaedge.dll library, specifically in the CTsgMsgServer::GetCTsgMsgServerInstance function.

The vulnerability is due to a race condition where multiple threads concurrently initialize a global pointer (m_pMsgSvrInstance) without proper synchronization. This allows attackers to corrupt memory and execute arbitrary code by manipulating timing through multiple socket connections to the RD Gateway. The flaw enables one thread to overwrite the global pointer while another is still referencing it, causing a dangling pointer to be dereferenced.

To exploit the vulnerability, an attacker must:

• Connect to a system running the RD Gateway role.
• Initiate concurrent socket connections.
• Exploit timing to cause heap collisions and pointer corruption.

Affected systems include:

• Windows Server 2016, 2019, 2022, and 2025 (Core and Standard editions).

Microsoft mitigated the vulnerability by implementing mutex-based synchronization to prevent simultaneous thread access. The following security updates are available:

• Windows Server 2016: KB5050011
• Windows Server 2019: KB5050008
• Windows Server 2022: KB5049983
• Windows Server 2025: KB5050009

Organizations heavily reliant on RD Gateway for secure remote access are urged to apply patches immediately. Until then, it’s advised to monitor RD Gateway logs, restrict network access, and enforce protections against unauthorized connections.

Impact

• Remote Code Execution
• Gain Unauthorized Access
• Lateral Movement

Indicators of Compromise

CVE

• CVE-2025-21297

Affected Vendors

Affected Products

• Microsoft Windows Server 2019 - 10.0.17763.0
• Microsoft Windows Server 2019 (Server Core installation) - 10.0.17763.0
• Microsoft Windows Server 2022 - 10.0.20348.0
• Microsoft Windows Server 2025 (Server Core installation) - 10.0.26100.0
• Microsoft Windows Server 2012 (Server Core installation) - 6.2.9200.0
• Microsoft Windows Server 2012 R2 - 6.3.9600.0
• Microsoft Windows Server 2012 R2 (Server Core installation) - 6.3.9600.0
• Microsoft Windows Server 2012 - 6.2.9200.0
• Microsoft Windows Server 2016 - 10.0.14393.0
• Microsoft Windows Server 2016 (Server Core installation) - 10.0.14393.0
• Microsoft Windows Server 2025 - 10.0.26100.0
• Microsoft Windows Server 2008 R2 Service Pack 1 (Server Core installation) - 6.1.7601.0
• Microsoft Windows Server 2008 R2 Service Pack 1 - 6.1.7601.0

Remediation

• Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
• Limit access to RD Gateway to trusted IP addresses using firewalls or network access controls.
• Monitor RD Gateway logs for unusual or unexpected connection patterns.
• Enable Network Level Authentication (NLA) to reduce unauthorized access.
• Use intrusion detection/prevention systems (IDS/IPS) to identify exploitation attempts.
• Isolate RD Gateway servers from critical internal systems using segmentation.
• Enforce multi-factor authentication (MFA) for remote access users.
• Regularly audit RD Gateway configurations and user access policies.
• Implement rate limiting or throttling on RD Gateway to reduce concurrent connection attempts.
• Disable RD Gateway temporarily if patching is not immediately possible and it is not mission-critical.