Microsoft Discloses Remote Code Execution Flaws in Remote Desktop and RPC Components
Microsoft published security advisories for multiple remote code execution vulnerabilities affecting Remote Desktop Client, Remote Desktop Protocol, and the Remote Procedure Call (RPC) Runtime. The referenced issues include CVE-2025-58718 in the Remote Desktop Client, alongside earlier Microsoft advisories for CVE-2022-21851 in the Remote Desktop Client, CVE-2022-21893 in Remote Desktop Protocol, and CVE-2022-21922 in the RPC Runtime.
The advisories indicate continued security risk around core Windows remote access and interprocess communication components that are widely used in enterprise environments. For defenders, the common thread is exposure to remote code execution in services and clients tied to remote connectivity, making Microsoft’s security updates for these CVEs a priority for systems that rely on RDP and RPC functionality.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes advisory for CVE-2025-58718
Microsoft added CVE-2025-58718 to its Security Update Guide as a Remote Desktop Client remote code execution vulnerability.
Microsoft publishes fixes for three January 2022 RCE vulnerabilities
Microsoft released Security Update Guide advisories for CVE-2022-21851, CVE-2022-21893, and CVE-2022-21922, covering remote code execution flaws in Remote Desktop Client, Remote Desktop Protocol, and Remote Procedure Call Runtime respectively.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CVE-2025-58718 - Security Update Guide - Microsoft - Remote Desktop Client Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2022-21851 - Security Update Guide - Microsoft - Remote Desktop Client Remote Code Execution Vulnerability
portal.msrc.microsoft.com
Open sourceCVE-2022-21893 - Security Update Guide - Microsoft - Remote Desktop Protocol Remote Code Execution Vulnerability
portal.msrc.microsoft.com
Open sourceCVE-2022-21922 - Security Update Guide - Microsoft - Remote Procedure Call Runtime Remote Code Execution Vulnerability
portal.msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Multiple Windows Remote Desktop Services RCE Flaws
Microsoft disclosed and patched several **remote code execution** vulnerabilities affecting Windows Remote Desktop components, including **Remote Desktop Services** flaws tracked as `CVE-2025-21309`, `CVE-2025-24045`, and `CVE-2024-49123`. The issues were published through the Microsoft Security Response Center update guide and indicate continued security exposure in services commonly used for remote administration and application access across Windows environments. Microsoft also published a related **Windows Remote Desktop Licensing Service** remote code execution vulnerability, `CVE-2024-38263`, expanding the affected surface beyond core Remote Desktop Services. The cluster of advisories highlights the need for organizations to prioritize patching internet-exposed and internally accessible RDS infrastructure, review segmentation around remote access systems, and verify that all Windows servers running Remote Desktop roles and licensing components have the latest security updates applied.
May 25, 2026
Microsoft Patches Windows RDP Flaws That Can Leak Memory and Enable Attack Chains
Microsoft released fixes for two **Windows Remote Desktop Protocol (RDP)** information disclosure vulnerabilities, `CVE-2026-42908` and `CVE-2026-45639`, that allow a remote, unauthenticated attacker to trigger out-of-bounds reads and expose sensitive memory without user interaction. According to reporting on the June 9, 2026 security updates, `CVE-2026-42908` can disclose local memory addresses and weaken **ASLR**, while `CVE-2026-45639` can reveal process memory including credentials, session tokens, and protocol state data. Microsoft rated both flaws **Important** with **CVSS 7.5** and said exploitation was considered less likely at release, with no public exploits reported. The vulnerabilities affect a broad set of Windows platforms, including **Windows 10**, **Windows 11**, **Windows Server 2012 through 2025**, and Microsoft’s Remote Desktop client offerings for Windows desktop. The disclosures arrive amid continued scrutiny of the RDP ecosystem after earlier reports of severe Remote Desktop weaknesses, including `CVE-2025-29967` in **RD Gateway** and `CVE-2025-29966` and `CVE-2025-48817` in the **Windows Remote Desktop Client**, which were described as enabling remote code execution through heap overflow or path traversal conditions. Organizations were urged to prioritize patching internet-exposed RDP systems and strengthen access controls with VPNs, bastion hosts, strong authentication, and monitoring.
Jun 12, 2026
Microsoft Patches Multiple Windows Remote Code Execution Flaws Across Core Services
Microsoft published security advisories for a broad set of **remote code execution** vulnerabilities affecting Windows components and enterprise services, including **Windows Telephony Service**, **Hyper-V**, **ReFS**, **WSUS**, **Direct Show**, the **Windows Mobile Broadband Driver**, **Windows Server Setup and Boot Event Collection**, **SQL Server Native Client**, and **.NET**. The largest concentration of disclosures involved the Windows Telephony Service, with multiple CVEs including `CVE-2024-43620`, `CVE-2024-43627`, `CVE-2025-21190`, `CVE-2025-21240`, `CVE-2025-21243`, `CVE-2025-21250`, `CVE-2025-21266`, `CVE-2025-21273`, `CVE-2025-21409`, and `CVE-2025-21413`, indicating sustained patching activity around a single Windows attack surface. Other disclosed RCE issues expanded the risk to virtualization, storage, update infrastructure, and server environments through `CVE-2026-21244` and `CVE-2026-21248` in **Windows Hyper-V**, `CVE-2025-62456` in **Windows Resilient File System (ReFS)**, `CVE-2025-59287` in **Windows Server Update Service (WSUS)**, `CVE-2025-49666` in **Windows Server Setup and Boot Event Collection**, `CVE-2024-49012` in **SQL Server Native Client**, `CVE-2025-21291` in **Windows Direct Show**, and `CVE-2026-24288` in the **Windows Mobile Broadband Driver**. One referenced case, `CVE-2021-34458`, showed the potential severity of Microsoft RCE flaws in virtualized environments, with Microsoft describing a **Critical** Windows Kernel issue that could enable cross-guest interference on systems using **SR-IOV-capable hardware**.
May 25, 2026