Microsoft Discloses Windows RCE Flaws in Scripting Languages and URL Parsing
Microsoft published Security Update Guide entries for two Windows remote code execution vulnerabilities affecting different core components: CVE-2022-41118 in Windows Scripting Languages and CVE-2025-59295 in Windows URL Parsing. Both advisories classify the issues as remote code execution flaws, indicating that successful exploitation could allow an attacker to run arbitrary code on a targeted Windows system.
The disclosures point to risk across widely used Windows functionality rather than a single application, underscoring the need for defenders to review affected product versions and apply Microsoft-issued updates through normal patch management channels. The vulnerabilities are tracked under the identifiers CVE-2022-41118 and CVE-2025-59295, with Microsoft maintaining the authoritative remediation details in its Security Update Guide.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes advisory for CVE-2025-59295
Microsoft added CVE-2025-59295 to its Security Update Guide as a Windows URL Parsing Remote Code Execution Vulnerability.
Microsoft publishes advisory for CVE-2022-41118
Microsoft added CVE-2022-41118 to its Security Update Guide as a Windows Scripting Languages Remote Code Execution Vulnerability.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2025-59295 - Security Update Guide - Microsoft - Windows URL Parsing Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2022-41118 - Security Update Guide - Microsoft - Windows Scripting Languages Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Windows Internet Shortcut RCE Exploited via Malicious URL Files
Microsoft disclosed **CVE-2025-33053**, an **Important** remote code execution flaw in **Internet Shortcut Files** that affects all supported versions of Windows and carries a **CVSS 8.8** rating. The vulnerability is tied to **CWE-73** (external control of file name or path) and can let an unauthenticated attacker execute code over a network if a user clicks a specially crafted URL. Microsoft said the bug had been **exploited in the wild**, that **functional exploit code** was available, and that security updates had been released. The advisory said the issue has implications beyond legacy browser use because underlying **MSHTML**, **EdgeHTML**, and scripting components remain supported on some platforms and are still used by **Internet Explorer mode**, the **WebBrowser control**, **WebView**, and some **UWP** applications. Microsoft also noted that **IE cumulative updates** still matter for certain older Windows Server systems, and later revised the advisory to correct the CVE title and description without changing the technical impact. Related Microsoft advisories show the flaw joins a broader pattern of remote code execution risks across Windows and server products, including **MSHTML**, **Hyper-V**, **Exchange Server**, and **SharePoint Server**.
May 25, 2026
Microsoft Discloses Remote Code Execution Flaws in Remote Desktop and RPC Components
Microsoft published security advisories for multiple remote code execution vulnerabilities affecting **Remote Desktop Client**, **Remote Desktop Protocol**, and the **Remote Procedure Call (RPC) Runtime**. The referenced issues include `CVE-2025-58718` in the Remote Desktop Client, alongside earlier Microsoft advisories for `CVE-2022-21851` in the Remote Desktop Client, `CVE-2022-21893` in Remote Desktop Protocol, and `CVE-2022-21922` in the RPC Runtime. The advisories indicate continued security risk around core Windows remote access and interprocess communication components that are widely used in enterprise environments. For defenders, the common thread is exposure to **remote code execution** in services and clients tied to remote connectivity, making Microsoft’s security updates for these CVEs a priority for systems that rely on RDP and RPC functionality.
May 25, 2026
Microsoft Patches Multiple Windows Remote Code Execution Flaws Across Core Services
Microsoft published security advisories for a broad set of **remote code execution** vulnerabilities affecting Windows components and enterprise services, including **Windows Telephony Service**, **Hyper-V**, **ReFS**, **WSUS**, **Direct Show**, the **Windows Mobile Broadband Driver**, **Windows Server Setup and Boot Event Collection**, **SQL Server Native Client**, and **.NET**. The largest concentration of disclosures involved the Windows Telephony Service, with multiple CVEs including `CVE-2024-43620`, `CVE-2024-43627`, `CVE-2025-21190`, `CVE-2025-21240`, `CVE-2025-21243`, `CVE-2025-21250`, `CVE-2025-21266`, `CVE-2025-21273`, `CVE-2025-21409`, and `CVE-2025-21413`, indicating sustained patching activity around a single Windows attack surface. Other disclosed RCE issues expanded the risk to virtualization, storage, update infrastructure, and server environments through `CVE-2026-21244` and `CVE-2026-21248` in **Windows Hyper-V**, `CVE-2025-62456` in **Windows Resilient File System (ReFS)**, `CVE-2025-59287` in **Windows Server Update Service (WSUS)**, `CVE-2025-49666` in **Windows Server Setup and Boot Event Collection**, `CVE-2024-49012` in **SQL Server Native Client**, `CVE-2025-21291` in **Windows Direct Show**, and `CVE-2026-24288` in the **Windows Mobile Broadband Driver**. One referenced case, `CVE-2021-34458`, showed the potential severity of Microsoft RCE flaws in virtualized environments, with Microsoft describing a **Critical** Windows Kernel issue that could enable cross-guest interference on systems using **SR-IOV-capable hardware**.
May 25, 2026