On December 10, 2024, Microsoft disclosed a critical vulnerability in its Windows Remote Desktop Services, tracked as CVE-2024-49115.
This security flaw allows attackers to execute remote code on affected systems, posing a severe threat to confidentiality, integrity, and availability. The vulnerability has been classified as critical, with a CVSS score of 8.1.
The vulnerability stems from two key weaknesses:
- CWE-591: Sensitive Data Storage in Improperly Locked Memory
- CWE-416: Use After Free
Attackers can exploit this flaw by connecting to a system with the Remote Desktop Gateway role and triggering a race condition. This creates a “use-after-free” scenario, enabling arbitrary code execution.
Notably, the attack requires no user interaction or privileges, but its high complexity makes successful exploitation less likely without advanced technical skills.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Windows Remote Desktop Services Vulnerability
The vulnerability affects multiple versions of Windows Server, including:
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
All affected versions have been patched as part of Microsoft’s December 2024 Patch Tuesday updates. While the exploit code maturity is currently unproven, and there is no evidence of active exploitation or public disclosure, the potential impact remains significant. Successful exploitation could give attackers full control over targeted systems via remote code execution.
Microsoft has released official fixes for all impacted systems. Users are strongly advised to immediately install the latest security updates to mitigate risks. The updates are available through the Microsoft Update Catalog and apply to both standard and server-core installations.
The vulnerability was responsibly disclosed by researcher k0shl from Kunlun Lab, whose efforts were acknowledged by Microsoft. Due to its critical nature and the widespread use of Remote Desktop Services in enterprise environments, the security community has emphasized the importance of addressing this flaw promptly.
This vulnerability is one of ten critical Remote Desktop-related flaws addressed in December’s Patch Tuesday release. Microsoft fixed a total of 71 vulnerabilities this month, including one actively exploited zero-day (CVE-2024-49138) unrelated to Remote Desktop Services.
Organizations relying on Remote Desktop Protocol (RDP) are reminded to follow best practices, such as limiting RDP access to trusted networks, enabling Network Level Authentication (NLA), and monitoring for suspicious activity.
CVE-2024-49115 underscores the persistent risks associated with remote access technologies like RDP. While no active exploits have been reported yet, the critical nature of this vulnerability highlights the need for immediate action to safeguard systems against potential attacks.
Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Try for Free