Analysis Summary

Microsoft has released critical security updates addressing two major vulnerabilities in the Windows Remote Desktop Gateway (RD Gateway) service, CVE-2025-26677 and CVE-2025-29831, both rated high, Denial-of-Service (DoS) vulnerabilities caused by uncontrolled resource consumption (CWE-400). It can be exploited by unauthenticated remote attackers with no user interaction, leading to service disruption. This poses a serious risk to organizations relying heavily on remote desktop services for daily operations, especially if these services are exposed to the internet.

The vulnerability affects multiple Windows Server versions, including 2016, 2019, 2022, and 2025 (both Core and Standard editions). Microsoft has addressed the issue through patches KB5058383, KB5058392, KB5058385, and KB5058411, urging administrators to apply them immediately despite exploitation being currently rated as “less likely.” Security researchers responsibly disclosed the issue to Microsoft. The vulnerability is assigned a High severity rating due to its low attack complexity, network-based vector, and the potential for significant disruption, though it does not compromise confidentiality or integrity.

The second vulnerability, CVE-2025-29831, is a remote code execution (RCE) flaw stemming from a Use After Free condition. Unlike the DoS issue, this vulnerability requires user interaction, specifically an admin restarting or stopping the RD Gateway service, and involves higher attack complexity. It affects a broader range of systems, including Windows Server 2008 R2, 2012/R2, in addition to the versions impacted by CVE-2025-26677. Successful exploitation could lead to system compromise, making it essential that organizations apply the relevant patches during their next maintenance cycle.

Given the critical role of Remote Desktop Gateway services in enabling secure remote access to internal networks, both vulnerabilities represent high-value targets for attackers. Although there is no current evidence of exploitation in the wild, Microsoft and security experts strongly recommend prompt patching and reviewing RD Gateway exposure to the internet. Organizations should also consider applying additional network-level protections, such as segmentation and access restrictions, to minimize their attack surface.

Impact

• Remote Code Execution
• Denial of Service

Indicators of Compromise

CVE

• CVE-2025-26677

• CVE-2025-29831

Affected Vendors

Remediation

• Use the Microsoft Security Update Guide to search for available patches for CVE-2025-26677
• CVE-2025-29831
• Install the latest patches provided by Microsoft: KB5058383, KB5058392, KB5058385, and KB5058411, depending on your Windows Server version.
• Restrict Remote Desktop Gateway services to trusted internal or VPN-based access only.
• Avoid exposing RD Gateway services directly to the Internet.
• Review event logs for unusual activity related to RD Gateway service usage or resource consumption.
• Use firewalls or Network Security Groups (NSGs) to limit access to RD Gateway ports (typically TCP 443).
• Implement IP allowlists or VPN tunnels for administrative access.
• Configure resource throttling to prevent potential abuse from excessive or malformed traffic.
• For CVE-2025-29831, minimize manual restarts of RD Gateway services unless necessary.
• Implement access control measures for administrators who can stop/start critical services.
• Perform vulnerability scans and penetration tests to validate that RD Gateway configurations are secure after patching.
• Educate administrators on the risk associated with restarting RD Gateway services while unpatched.
• Ensure incident response teams are aware of the vulnerabilities and have a mitigation playbook in place.
• Integrate these updates into your routine patch management process for all affected Windows Server systems.
• Disable RD Gateway service on servers where it is not needed to eliminate unnecessary exposure.