A critical vulnerability in Microsoft’s Remote Desktop Gateway (RD Gateway) that could allow attackers to execute malicious code on affected systems remotely.
The vulnerability, tracked as CVE-2025-21297, was disclosed by Microsoft in their January 2025 security updates and has since been actively exploited in the wild.
The flaw, discovered and reported by VictorV (Tang Tianwen) from Kunlun Lab, stems from a use-after-free (UAF) bug triggered by concurrent socket connections during the initialization of the Remote Desktop Gateway service.
.png
)
Specifically, the vulnerability exists in the aaedge.dll library, within the CTsgMsgServer::GetCTsgMsgServerInstance function, where a global pointer (m_pMsgSvrInstance) is initialized without proper thread synchronization.
“The vulnerability occurs when multiple threads can overwrite the same global pointer, corrupting reference counts and ultimately leading to the dereferencing of a dangling pointer – a classic UAF scenario,” explains the security advisory.
The race condition allows attackers to exploit a timing issue where memory allocation and pointer assignment occur out of sync, potentially leading to arbitrary code execution. Microsoft has assigned the vulnerability a CVSS score of 8.1, indicating high severity.
Windows Remote Desktop Gateway UAF Vulnerability
According to researchers, successful exploitation requires an attacker to:
- Connect to a system running the RD Gateway role.
- Trigger concurrent connections to the RD Gateway (via multiple sockets).
- Exploit the timing issue where memory allocation and pointer assignment occur out of sync.
- Cause one connection to overwrite the pointer before another finishes referencing it.
The exploit involves a nine-step timeline of heap collisions between threads, leading to eventual use of a freed memory block, opening the door for arbitrary code execution.
Multiple versions of Windows Server that utilize RD Gateway for secure remote access are vulnerable, including:
- Windows Server 2016 (Core and Standard installations).
- Windows Server 2019 (Core and Standard installations).
- Windows Server 2022 (Core and Standard installations).
- Windows Server 2025 (Core and Standard installations).
Organizations using RD Gateway as a critical access point for employees, contractors, or partners working remotely are particularly at risk.
Microsoft addressed the vulnerability in May 2025 Patch Tuesday by introducing mutex-based synchronization, ensuring that only one thread can initialize the global instance at any given time. The following security updates are available:
- Windows Server 2016: Update KB5050011.
- Windows Server 2019: Update KB5050008 (Build 10.0.17763.6775).
- Windows Server 2022: Update KB5049983 (Build 10.0.20348.3091).
- Windows Server 2025: Update KB5050009 (Build 10.0.26100.2894).
Security experts strongly urge organizations to apply these patches immediately. “This vulnerability represents a critical risk to enterprise environments that rely on Remote Desktop Gateway for secure remote access,” noted a security researcher familiar with the issue.
Until patches can be applied, organizations are advised to monitor RD Gateway logs for unusual activity and consider implementing network-level protections to limit incoming connections to trusted sources.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar
