a windows log with risk sign

A serious security vulnerability in Windows Remote Desktop Services, identified as CVE-2025-32710, allows unauthorized attackers to execute arbitrary code remotely without requiring authentication.

Released on June 10, 2025, this vulnerability impacts several versions of Windows Server and has a CVSS score of 8.1, indicating a high severity level with the potential for significant system compromise.

The flaw arises from a combination of a use-after-free condition and a race condition in the Remote Desktop Gateway service, enabling attackers to gain complete control over vulnerable systems through network-based exploitation.

Remote Desktop Services RCE Vulnerability

CVE-2025-32710 is a sophisticated memory corruption vulnerability classified under two Common Weakness Enumeration (CWE) categories: CWE-416 (Use After Free) and CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization).

The CVSS vector string for this vulnerability is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C, indicating a network-based attack vector that requires high complexity but no privileges or user interaction.

The technical exploitation mechanism involves an attacker connecting to a system running the Remote Desktop Gateway role and triggering a race condition that leads to a use-after-free scenario. This memory corruption allows the attacker to manipulate freed memory regions, potentially resulting in arbitrary code execution with system-level privileges.

The vulnerability's attack complexity is rated as high, as successful exploitation requires overcoming a race condition, making it challenging but not impossible for determined threat actors.

Impact Assessment

The impact assessment reveals maximum severity across all three security domains: confidentiality, integrity, and availability are all rated as “High.” This means that successful exploitation could lead to complete system compromise, including unauthorized access to sensitive data, modification of system configurations, and potential denial of service conditions that could disrupt business operations.

Security researchers SmallerDragon and ʌ!ɔ⊥ojv from Kunlun Lab are credited with discovering and responsibly disclosing this vulnerability through coordinated disclosure processes.

Affected Systems and Security Updates

Microsoft has identified multiple Windows Server versions vulnerable to CVE-2025-32710, ranging from legacy systems to current releases. The affected platforms include:

Windows Server 2008 (both 32-bit and x64-based systems with Service Pack 2) Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2025

Each affected version has received corresponding security updates with specific Knowledge Base (KB) numbers. For example, Windows Server 2025 has updates KB5058411 and KB5058497, bringing the system to build version 10.0.26100.4061. Windows Server 2022 requires updates KB5058385 and KB5058500, updating to build 10.0.20348.3692. Legacy systems like Windows Server 2008 receive updates KB5061198 and KB5058429, reaching version 6.0.6003.23317.

The security updates are delivered through Microsoft’s standard patch distribution channels, including Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. Organizations using Server Core installations are also affected and must apply the corresponding patches to maintain their security posture.

Despite the critical severity rating, Microsoft’s exploitability assessment categorizes this vulnerability as “Exploitation Less Likely” due to the high complexity required for an attack. At the time of publication, the vulnerability has not been publicly disclosed through other channels, and no active exploitation has been observed in the wild.

Organizations should prioritize the immediate deployment of the June 2025 security updates across all affected Windows Server installations. Additionally, network segmentation and access controls should be implemented to limit Remote Desktop Services exposure to untrusted networks. Enabling Windows Defender or other endpoint protection solutions can provide additional layers of defense against potential exploitation attempts.