Analysis Summary

On June 10, 2025, Microsoft disclosed CVE-2025-32710, a critical Remote Code Execution (RCE) vulnerability affecting multiple versions of Windows Server, including legacy systems like Windows Server 2008 through to the latest Windows Server 2025. Carrying a CVSS score of high, the vulnerability poses a significant threat to system confidentiality, integrity, and availability. It arises from a complex combination of a use-after-free (CWE-416) and a race condition (CWE-362) within the Remote Desktop Gateway (RD Gateway) service, allowing remote attackers to execute arbitrary code without authentication or user interaction. Despite its high impact, exploitation is considered challenging due to the need to win a race condition, and Microsoft currently classifies it as “Exploitation Less Likely.”

The vulnerability can be exploited remotely over the network (CVSS vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), enabling attackers to manipulate freed memory regions once a race condition is triggered. If successful, the attacker could achieve system-level privileges, granting full control over affected systems. This means adversaries could access sensitive data, modify configurations, and potentially render services unavailable. No privileges or user input are required, which makes network-exposed RD Gateway servers particularly high-risk targets, especially in organizations with publicly accessible RDP endpoints.

Microsoft has released patches for all impacted versions, including updates like KB5058411 and KB5058497 for Windows Server 2025, KB5058385 for Server 2022, and KB5061198 for Server 2008. These updates are available via standard channels such as Windows Update, WSUS, and the Microsoft Update Catalog. It is critical to note that even Server Core installations are vulnerable, emphasizing the need for comprehensive patch management. Although the vulnerability has not yet been observed in active exploitation, its potential impact demands immediate attention.

Organizations are strongly urged to deploy the June 2025 updates without delay. To mitigate exposure, it's essential to restrict access to Remote Desktop Services using proper network segmentation and firewall configurations. Implementing robust endpoint protection like Microsoft Defender can further reduce the risk of exploitation. The vulnerability was responsibly disclosed by researchers, and their findings underscore the importance of addressing complex memory corruption issues before threat actors can exploit them.

Impact

• Sensitive Data Theft
• Remote Code Execution
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-32710

Affected Vendors

Affected Products

• Windows Server 2008 R2
• Windows Server 2019
• Windows Server 2012 R2
• Windows Server 2012
• Windows Server 2016
• Windows Server 2022
• Microsoft Windows Server 2025
• Windows Server 2008 (both 32-bit and x64-based systems with Service Pack 2)

Remediation

• Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
• Limit Remote Desktop Gateway access to trusted internal networks. Avoid exposing RD Gateway directly to the internet.
• Place RD Gateway servers behind firewalls and isolate them from critical systems using segmentation to reduce lateral movement risk.
• Ensure systems running Server Core (no GUI) are also updated, as they are equally vulnerable.
• Use Microsoft Defender or equivalent endpoint protection to detect and block exploitation attempts.
• Configure firewall rules to allow RD Gateway access only from known and trusted IP addresses.
• Enable logging and monitor network traffic and authentication attempts for anomalies targeting RDP services.
• Perform vulnerability scans to confirm patch deployment and ensure no unpatched systems remain exposed.
• Ensure users accessing RD Gateway have only the minimum required privileges to reduce the blast radius of any potential exploitation.