Microsoft’s May 2025 Patch Tuesday has addressed several critical vulnerabilities in Windows Remote Desktop services that could allow attackers to execute malicious code remotely. Security experts are urging users to apply these patches immediately to safeguard their systems against potential exploits.
Among the 72 flaws fixed in this month’s security update, two critical Remote Desktop vulnerabilities stand out as particularly concerning. CVE-2025-29966 and CVE-2025-29967 both involve heap-based buffer overflow vulnerabilities in the Remote Desktop Client and Gateway Service, respectively, allowing unauthorized attackers to execute arbitrary code over a network.
“In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution on the RDP client machine when a victim connects to the attacker’s server with the vulnerable Remote Desktop Client,” Microsoft explained in its security advisory.
.png
)
These vulnerabilities received “Critical” severity ratings with a high CVSS score, indicating their potential impact on affected systems. The flaws specifically exploit weaknesses classified under CWE-122: Heap-based Buffer Overflow, allowing attackers to corrupt memory in a way that enables code execution.
Wide Range of Systems Affected
The vulnerabilities impact multiple versions of Windows operating systems that utilize Remote Desktop services. While Microsoft has not yet reported active exploitation of these specific flaws in the wild, the company has classified them with an “Exploitation Less Likely” assessment for now.
“Although these particular vulnerabilities haven’t been exploited yet, similar Remote Desktop flaws have been prime targets for attackers in the past,” said a cybersecurity researcher familiar with the matter. “The potential for an unauthenticated attacker to gain remote code execution makes these vulnerabilities especially dangerous.”
These Remote Desktop vulnerabilities were among 72 flaws addressed in Microsoft’s May Patch Tuesday, which also fixed five actively exploited zero-day vulnerabilities, including issues in Windows DWM Core Library, Windows Common Log File System Driver, and Windows Ancillary Function Driver for WinSock.
Security experts recommend that organizations and individual users apply these patches immediately. The vulnerability could be exploited when users connect to malicious Remote Desktop servers, putting client machines at risk of complete system compromise.
For systems that cannot be immediately patched, experts suggest limiting Remote Desktop connections to trusted servers only and implementing additional network security measures to restrict potential attack vectors.
The May 2025 security updates are available through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar
