A critical security flaw in Microsoft’s Remote Desktop Gateway (RD Gateway), tracked as CVE-2025-21297, allows attackers to execute malicious code remotely. The vulnerability was disclosed in January 2025 and has been actively exploited since.
Discovered by VictorV from Kunlun Lab, the flaw is a use-after-free (UAF) bug caused by improper thread synchronization in the aaedge.dll library. Specifically, multiple threads can overwrite a global pointer (m_pMsgSvrInstance) during RD Gateway initialization, leading to memory corruption and arbitrary code execution.
The vulnerability has a high severity score of 8.1 (CVSS) and affects multiple Windows Server versions running RD Gateway, including 2016, 2019, 2022, and 2025 editions (both Core and Standard).
How the Exploit Works
- An attacker connects to a system running RD Gateway.
- They trigger multiple concurrent socket connections to exploit a race condition.
- This causes a timing issue where memory pointers are overwritten prematurely.
- The race leads to use of freed memory, enabling remote code execution.
Microsoft’s Fix and Recommendations
Microsoft addressed the issue in the May 2025 Patch Tuesday update by adding mutex-based synchronization to prevent concurrent thread conflicts. The relevant updates are:
- Windows Server 2016: KB5050011
- Windows Server 2019: KB5050008 (Build 10.0.17763.6775)
- Windows Server 2022: KB5049983 (Build 10.0.20348.3091)
- Windows Server 2025: KB5050009 (Build 10.0.26100.2894)
Security experts urge organizations to apply these patches immediately. Until then, it is advised to monitor RD Gateway logs for suspicious activity and restrict network access to trusted sources to reduce risk.
This vulnerability poses a significant threat to enterprises relying on RD Gateway for secure remote access, as successful exploitation can lead to full system compromise.
