New Vulnerability Found in Windows Remote Desktop Service: Hackers Can Execute Malicious Code Remotely

A serious vulnerability has been identified in Microsoft Windows Remote Desktop Services (RDP), allowing attackers to execute malicious code remotely without requiring user authentication.

This vulnerability, named CVE-2025-27480, is a use-after-free issue in the Remote Desktop Gateway service and has been assigned a high CVSS score of 8.1. The vulnerability particularly threatens enterprise systems and organizations providing global services.

The issue arises due to a memory management problem in the Remote Desktop Gateway service. This use-after-free vulnerability allows attackers to reuse a mismanaged object in memory, which can lead to remote execution of malicious code.

According to Microsoft’s recommendation, an attacker can connect to a system with the Remote Desktop Gateway role installed, deliberately trigger a memory error, and successfully execute arbitrary code on the compromised system.

The vulnerability is classified as CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C, meaning that it requires high complexity to exploit, but no user interaction (UI) or privileges are needed. The attacker leverages memory management errors to reuse allocated memory.

How the Vulnerability Works:

1. The service allocates memory for an object.
2. It then frees this memory.
3. The service later accesses the freed memory.
4. An attacker can exploit this error to execute arbitrary code.

Microsoft also announced another “Critical” vulnerability, CVE-2025-27487, affecting the Remote Desktop Client. This flaw can execute arbitrary code when the user connects to a remote server.

Unlike CVE-2025-27480, this vulnerability requires user interaction (i.e., the user must connect to a malicious server to trigger the vulnerability).

Microsoft has released official patches for several systems and distributed updates to protect against this vulnerability. However, updates for some Windows 10 versions are still pending and are expected to be released soon.

Security Experts Recommend the Following Actions:

• Immediately install all updates
• Minimize the use of RDP services and segment the network
• Enable Network Level Authentication (NLA)
• Monitor RDP connections and actions performed through them carefully

The CVE-2025-27480 vulnerability presents a critical point of exploitation for remote system control. Such vulnerabilities pose serious risks not only to organizations but also to individual users. By installing the updates released by Microsoft and implementing security measures, these attacks can be prevented.