Analysis Summary

A critical vulnerability, CVE-2025-27480, has been identified in Microsoft Windows Remote Desktop Gateway Service, classified as a use-after-free memory flaw. This vulnerability, discovered by a researcher, allows unauthenticated remote code execution over the network without user interaction. It arises when the service allocates memory for an object, frees it, and later references the freed memory. This behavior creates a memory corruption window that an attacker could exploit to execute arbitrary code by manipulating the reused memory reference. The flaw has been rated, indicating high severity, particularly due to the lack of authentication and user interaction required for exploitation.

The researcher explained that attackers must win a race condition to trigger this vulnerability successfully, making the attack complexity high. Nevertheless, the vulnerability is still classified as critical due to the severe impact—confidentiality, integrity, and availability could all be compromised. The CVSS vector string highlights that exploitation is network-based, requires no privileges, and no user interaction. While there is no evidence of active exploitation, the public nature of this disclosure could accelerate threat actor interest in weaponizing the flaw.

In addition to CVE-2025-27480, Microsoft disclosed a related vulnerability, CVE-2025-27487, rated as "Important". This heap-based buffer overflow flaw impacts the Remote Desktop Client, and unlike the former, it requires user interaction. If a user connects to a malicious RDP server, the attacker can exploit this vulnerability to execute code on the client machine. This makes CVE-2025-27487 less dangerous in automated attacks, but still a serious concern in phishing or socially engineered scenarios targeting RDP users.

To mitigate both vulnerabilities, Microsoft has released patches for most systems, though some Windows 10 versions are still awaiting updates. Security experts strongly advise applying available patches immediately, segmenting networks to reduce Remote Desktop exposure, enabling Network Level Authentication (NLA), and closely monitoring for suspicious RDP activity. Organizations are also encouraged to re-evaluate their remote access infrastructure and implement layered security controls, given the continued exploitation risk of remote access services even after patch releases.

Impact

• Remote Code Execution
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2025-27480

• CVE-2025-27487

Affected Vendors

Remediation

• Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches
• Implement network segmentation to limit Remote Desktop Protocol (RDP) exposure.
• Enable Network Level Authentication (NLA) as an additional layer of protection.
• Monitor for suspicious RDP connection attempts and unusual behavior.
• Review remote access architecture and consider implementing additional protections beyond patching.
• For systems with pending updates, follow up with Microsoft for the latest release as soon as updates for affected Windows 10 versions are available.