Microsoft Patches Multiple Windows Remote Desktop Services RCE Flaws
Microsoft disclosed and patched several remote code execution vulnerabilities affecting Windows Remote Desktop components, including Remote Desktop Services flaws tracked as CVE-2025-21309, CVE-2025-24045, and CVE-2024-49123. The issues were published through the Microsoft Security Response Center update guide and indicate continued security exposure in services commonly used for remote administration and application access across Windows environments.
Microsoft also published a related Windows Remote Desktop Licensing Service remote code execution vulnerability, CVE-2024-38263, expanding the affected surface beyond core Remote Desktop Services. The cluster of advisories highlights the need for organizations to prioritize patching internet-exposed and internally accessible RDS infrastructure, review segmentation around remote access systems, and verify that all Windows servers running Remote Desktop roles and licensing components have the latest security updates applied.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses CVE-2025-24045 in Remote Desktop Services
Microsoft published a Security Update Guide entry for CVE-2025-24045, a remote code execution vulnerability affecting Windows Remote Desktop Services.
Microsoft discloses CVE-2025-21309 in Remote Desktop Services
Microsoft published Security Update Guide entries for CVE-2025-21309, identifying a remote code execution vulnerability in Windows Remote Desktop Services.
Microsoft discloses CVE-2024-49123 in Remote Desktop Services
Microsoft published a Security Update Guide entry for CVE-2024-49123, a remote code execution vulnerability affecting Windows Remote Desktop Services.
Microsoft discloses CVE-2024-38263 in Remote Desktop Licensing Service
Microsoft published a Security Update Guide entry for CVE-2024-38263, a remote code execution vulnerability affecting the Windows Remote Desktop Licensing Service.
Sources
5 references tracked. Mallory keeps watching after this page renders.
CVE-2025-24045 - Security Update Guide - Microsoft - Windows Remote Desktop Services Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-21309 - Security Update Guide - Microsoft - Windows Remote Desktop Services Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-21309 - Security Update Guide - Microsoft - Windows Remote Desktop Services Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-49123 - Security Update Guide - Microsoft - Windows Remote Desktop Services Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-38263 - Security Update Guide - Microsoft - Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Discloses Remote Code Execution Flaws in Remote Desktop and RPC Components
Microsoft published security advisories for multiple remote code execution vulnerabilities affecting **Remote Desktop Client**, **Remote Desktop Protocol**, and the **Remote Procedure Call (RPC) Runtime**. The referenced issues include `CVE-2025-58718` in the Remote Desktop Client, alongside earlier Microsoft advisories for `CVE-2022-21851` in the Remote Desktop Client, `CVE-2022-21893` in Remote Desktop Protocol, and `CVE-2022-21922` in the RPC Runtime. The advisories indicate continued security risk around core Windows remote access and interprocess communication components that are widely used in enterprise environments. For defenders, the common thread is exposure to **remote code execution** in services and clients tied to remote connectivity, making Microsoft’s security updates for these CVEs a priority for systems that rely on RDP and RPC functionality.
May 25, 2026
Microsoft Patches Multiple Windows Remote Code Execution Flaws Across Core Services
Microsoft published security advisories for a broad set of **remote code execution** vulnerabilities affecting Windows components and enterprise services, including **Windows Telephony Service**, **Hyper-V**, **ReFS**, **WSUS**, **Direct Show**, the **Windows Mobile Broadband Driver**, **Windows Server Setup and Boot Event Collection**, **SQL Server Native Client**, and **.NET**. The largest concentration of disclosures involved the Windows Telephony Service, with multiple CVEs including `CVE-2024-43620`, `CVE-2024-43627`, `CVE-2025-21190`, `CVE-2025-21240`, `CVE-2025-21243`, `CVE-2025-21250`, `CVE-2025-21266`, `CVE-2025-21273`, `CVE-2025-21409`, and `CVE-2025-21413`, indicating sustained patching activity around a single Windows attack surface. Other disclosed RCE issues expanded the risk to virtualization, storage, update infrastructure, and server environments through `CVE-2026-21244` and `CVE-2026-21248` in **Windows Hyper-V**, `CVE-2025-62456` in **Windows Resilient File System (ReFS)**, `CVE-2025-59287` in **Windows Server Update Service (WSUS)**, `CVE-2025-49666` in **Windows Server Setup and Boot Event Collection**, `CVE-2024-49012` in **SQL Server Native Client**, `CVE-2025-21291` in **Windows Direct Show**, and `CVE-2026-24288` in the **Windows Mobile Broadband Driver**. One referenced case, `CVE-2021-34458`, showed the potential severity of Microsoft RCE flaws in virtualized environments, with Microsoft describing a **Critical** Windows Kernel issue that could enable cross-guest interference on systems using **SR-IOV-capable hardware**.
May 25, 2026
Microsoft Patches Windows RDP Flaws That Can Leak Memory and Enable Attack Chains
Microsoft released fixes for two **Windows Remote Desktop Protocol (RDP)** information disclosure vulnerabilities, `CVE-2026-42908` and `CVE-2026-45639`, that allow a remote, unauthenticated attacker to trigger out-of-bounds reads and expose sensitive memory without user interaction. According to reporting on the June 9, 2026 security updates, `CVE-2026-42908` can disclose local memory addresses and weaken **ASLR**, while `CVE-2026-45639` can reveal process memory including credentials, session tokens, and protocol state data. Microsoft rated both flaws **Important** with **CVSS 7.5** and said exploitation was considered less likely at release, with no public exploits reported. The vulnerabilities affect a broad set of Windows platforms, including **Windows 10**, **Windows 11**, **Windows Server 2012 through 2025**, and Microsoft’s Remote Desktop client offerings for Windows desktop. The disclosures arrive amid continued scrutiny of the RDP ecosystem after earlier reports of severe Remote Desktop weaknesses, including `CVE-2025-29967` in **RD Gateway** and `CVE-2025-29966` and `CVE-2025-48817` in the **Windows Remote Desktop Client**, which were described as enabling remote code execution through heap overflow or path traversal conditions. Organizations were urged to prioritize patching internet-exposed RDP systems and strengthen access controls with VPNs, bastion hosts, strong authentication, and monitoring.
Jun 12, 2026