Analysis Summary

Microsoft’s May 2025 Patch Tuesday update addresses a total of 72 vulnerabilities, with particular urgency surrounding two critical flaws in Windows Remote Desktop services. Identified as CVE-2025-29966 and CVE-2025-29967, these vulnerabilities involve heap-based buffer overflows in the Remote Desktop Client and Gateway Service. These flaws could allow an attacker to remotely execute malicious code on a victim’s system. Microsoft notes that an attacker could exploit the vulnerability by setting up a malicious Remote Desktop Server and triggering code execution on a user’s machine when they connect using a vulnerable client.

Both vulnerabilities have been assigned “Critical” severity ratings with high CVSS scores, highlighting their significant potential for damage. Classified under CWE-122: Heap-based Buffer Overflow, these weaknesses enable memory corruption that can lead to arbitrary code execution. Although Microsoft currently assesses the risk of exploitation as “Less Likely,” experts stress that the nature of these flaws, allowing unauthenticated remote code execution,n makes them particularly dangerous. Past exploitation of similar RDP vulnerabilities underscores the urgency to act before attackers begin actively targeting these flaws.

The impact is broad, affecting multiple versions of Windows that utilize Remote Desktop services. While no active exploitation has been reported at this time, the vulnerabilities remain a serious concern. Organizations and users are urged to apply the latest patches immediately to protect systems from potential compromise. In addition to these Remote Desktop issues, Microsoft also resolved five zero-day vulnerabilities this month, which were actively exploited and found in key components such as the Windows DWM Core Library, Common Log File System Driver, and Ancillary Function Driver for WinSock.

For environments where immediate patching is not feasible, security professionals recommend interim protective measures. These include restricting Remote Desktop access to trusted servers only and implementing strong network segmentation and firewall rules to minimize exposure. The full security updates are available via Windows Update, WSUS, and the Microsoft Update Catalog, and experts emphasize that delaying patch deployment increases the risk of exploitation and system compromise.

Impact

• Code Execution

Indicators of Compromise

CVE

• CVE-2025-29966

• CVE-2025-29967

Affected Vendors

Affected Products

• Microsoft Remote Desktop client for Windows Desktop - 1.2.0.0
• Microsoft Windows 10 Version 1809 - 10.0.17763.0
• Microsoft Windows Server 2019 - 10.0.17763.0
• Microsoft Windows Server 2019 (Server Core installation) - 10.0.17763.0
• Microsoft Windows Server 2022 - 10.0.20348.0
• Microsoft Windows 11 version 22H2 - 10.0.22621.0
• Microsoft Windows 10 Version 22H2 - 10.0.19045.0
• Microsoft Windows Server 2025 (Server Core installation) - 10.0.26100.0
• Microsoft Windows 10 Version 21H2 - 10.0.19044.0
• Microsoft Windows App Client for Windows Desktop - 1.00

Remediation

• Use to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches for CVE-2025-29966 and CVE-2025-29967.
• Limit Remote Desktop connections to only trusted servers and networks. Avoid connecting to unknown or unverified RDP servers.
• Use firewalls and internal network segmentation to isolate Remote Desktop services from broader access, reducing the risk of lateral movement.
• Turn off Remote Desktop services on machines where it is not required to minimize the attack surface.
• Enable NLA on all RDP-accessible systems to require authentication before a full RDP session is established.
• Set up alerts and actively monitor for unusual or unauthorized RDP connections that could indicate probing or exploitation attempts.
• Run vulnerability assessments on endpoints and servers to ensure patches are applied and no unpatched RDP instances remain exposed.