Microsoft’s May 2025 Patch Tuesday update addressed several critical vulnerabilities in Windows Remote Desktop services, which could allow attackers to execute malicious code remotely. Experts are urging users to apply these patches as soon as possible to protect their systems from potential exploits.
Critical Remote Desktop Vulnerabilities Identified
Among the 72 flaws fixed in this month’s security update, two stand out as particularly concerning. CVE-2025-29966 and CVE-2025-29967 both involve heap-based buffer overflow vulnerabilities in the Remote Desktop Client and Gateway Service, respectively. These flaws allow unauthorized attackers to execute arbitrary code over a network.
“In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution on the RDP client machine when a victim connects to the attacker’s server using the vulnerable Remote Desktop Client,” Microsoft explained in its security advisory.
Vulnerabilities With Critical Severity
These vulnerabilities have been assigned a Critical severity rating with a high CVSS score, highlighting their potential to affect vulnerable systems. The flaws exploit weaknesses under CWE-122: Heap-based Buffer Overflow, allowing attackers to corrupt memory and execute arbitrary code.
Wide Range of Systems Affected
The vulnerabilities impact multiple versions of Windows operating systems that utilize Remote Desktop services. Although Microsoft has not reported any active exploitation of these flaws, they have classified them as “Exploitation Less Likely” for now.
“Although these particular vulnerabilities haven’t been exploited yet, similar Remote Desktop flaws have been prime targets for attackers in the past,” said a cybersecurity researcher familiar with the matter. “The potential for an unauthenticated attacker to gain remote code execution makes these vulnerabilities especially dangerous.”
May 2025 Patch Tuesday Addresses Multiple Issues
These Remote Desktop vulnerabilities were part of the 72 flaws addressed in Microsoft’s May Patch Tuesday. The update also resolved five actively exploited zero-day vulnerabilities, including issues in the Windows DWM Core Library, Windows Common Log File System Driver, and Windows Ancillary Function Driver for WinSock.
Immediate Action Recommended
Security experts recommend that both organizations and individual users apply the patches immediately. The vulnerabilities can be exploited when users connect to malicious Remote Desktop servers, potentially putting their systems at risk of complete compromise.
For systems unable to patch immediately, experts suggest limiting Remote Desktop connections to trusted servers and implementing additional network security measures to mitigate potential attack vectors.
The May 2025 security updates are available through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog.
