Microsoft Patches Windows RDP Flaws That Can Leak Memory and Enable Attack Chains
Microsoft released fixes for two Windows Remote Desktop Protocol (RDP) information disclosure vulnerabilities, CVE-2026-42908 and CVE-2026-45639, that allow a remote, unauthenticated attacker to trigger out-of-bounds reads and expose sensitive memory without user interaction. According to reporting on the June 9, 2026 security updates, CVE-2026-42908 can disclose local memory addresses and weaken ASLR, while CVE-2026-45639 can reveal process memory including credentials, session tokens, and protocol state data. Microsoft rated both flaws Important with CVSS 7.5 and said exploitation was considered less likely at release, with no public exploits reported.
The vulnerabilities affect a broad set of Windows platforms, including Windows 10, Windows 11, Windows Server 2012 through 2025, and Microsoft’s Remote Desktop client offerings for Windows desktop. The disclosures arrive amid continued scrutiny of the RDP ecosystem after earlier reports of severe Remote Desktop weaknesses, including CVE-2025-29967 in RD Gateway and CVE-2025-29966 and CVE-2025-48817 in the Windows Remote Desktop Client, which were described as enabling remote code execution through heap overflow or path traversal conditions. Organizations were urged to prioritize patching internet-exposed RDP systems and strengthen access controls with VPNs, bastion hosts, strong authentication, and monitoring.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Microsoft fixes RDP info disclosure flaws CVE-2026-42908 and CVE-2026-45639
In its June 9, 2026 security updates, Microsoft patched CVE-2026-42908 and CVE-2026-45639, two Important out-of-bounds read vulnerabilities in the Windows RDP stack. The flaws could be exploited remotely by an unauthenticated attacker to expose sensitive memory, though Microsoft said exploitation was less likely and reported no public exploits at release.
Microsoft patches Windows RDP Client path traversal CVE-2025-48817
Microsoft addressed CVE-2025-48817 in its July 2025 Patch Tuesday updates with KB5062554, KB5062553, and KB5062552. The vulnerability was described as a critical path traversal flaw in mstsc.exe that could lead to remote code execution via arbitrary file writes and DLL hijacking.
Microsoft releases May 2025 fix for RDP Client CVE-2025-29966
Microsoft released security update KB5002695 for CVE-2025-29966, a critical heap-based buffer overflow in the Windows Remote Desktop Client that could enable remote code execution without user interaction. The flaw affected supported Windows 10, Windows 11, and Windows Server systems through mstscax.dll.
Microsoft releases May 2025 fixes for RD Gateway CVE-2025-29967
Microsoft addressed CVE-2025-29967, a critical heap-based buffer overflow in Microsoft Remote Desktop Gateway that could allow unauthenticated remote code execution on vulnerable systems. The issue particularly affected internet-exposed RD Gateway instances.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Windows RDP Vulnerabilities Allow Attacker to Expose Sensitive Data
cybersecuritynews.com
Open sourceNavigating Danger: CVE-2025-48817 Path Traversal in Windows Remote Desktop Client - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceCritical Heap Overflow in Microsoft RD Gateway (CVE-2025-29967): Remote Code Execution Risk - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceWindows Remote Desktop Under Siege: Analyzing CVE-2025-29966 Heap Overflow - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceMsrc Product Advisories
msrc.microsoft.com
Open sourceMsrc Product Advisories
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Multiple Windows Remote Desktop Services RCE Flaws
Microsoft disclosed and patched several **remote code execution** vulnerabilities affecting Windows Remote Desktop components, including **Remote Desktop Services** flaws tracked as `CVE-2025-21309`, `CVE-2025-24045`, and `CVE-2024-49123`. The issues were published through the Microsoft Security Response Center update guide and indicate continued security exposure in services commonly used for remote administration and application access across Windows environments. Microsoft also published a related **Windows Remote Desktop Licensing Service** remote code execution vulnerability, `CVE-2024-38263`, expanding the affected surface beyond core Remote Desktop Services. The cluster of advisories highlights the need for organizations to prioritize patching internet-exposed and internally accessible RDS infrastructure, review segmentation around remote access systems, and verify that all Windows servers running Remote Desktop roles and licensing components have the latest security updates applied.
May 25, 2026
Microsoft Discloses Remote Code Execution Flaws in Remote Desktop and RPC Components
Microsoft published security advisories for multiple remote code execution vulnerabilities affecting **Remote Desktop Client**, **Remote Desktop Protocol**, and the **Remote Procedure Call (RPC) Runtime**. The referenced issues include `CVE-2025-58718` in the Remote Desktop Client, alongside earlier Microsoft advisories for `CVE-2022-21851` in the Remote Desktop Client, `CVE-2022-21893` in Remote Desktop Protocol, and `CVE-2022-21922` in the RPC Runtime. The advisories indicate continued security risk around core Windows remote access and interprocess communication components that are widely used in enterprise environments. For defenders, the common thread is exposure to **remote code execution** in services and clients tied to remote connectivity, making Microsoft’s security updates for these CVEs a priority for systems that rely on RDP and RPC functionality.
May 25, 2026
Microsoft Patches Critical Remote Desktop Client and HTTP.sys RCE Flaws
Microsoft’s June 2026 Patch Tuesday delivered a record-setting security release, with reports citing **206 to 208 CVEs** addressed across Windows, Office, Azure, SQL Server, and other products, including **32 critical** issues. Among the most urgent were multiple **Remote Desktop Client** remote code execution flaws—`CVE-2026-42985`, `CVE-2026-47289`, `CVE-2026-44801`, `CVE-2026-44799`, and `CVE-2026-48563`—that could let an attacker run code on a victim system if the user connected to a malicious Remote Desktop Server or accepted a specially crafted RDP certificate. Microsoft rated `CVE-2026-42985` as **more likely** to be exploited, while the others were assessed as less likely at publication; several of the bugs were credited to Kyeongmin Kim of KAIST Hacking Lab. Microsoft also disclosed **`CVE-2026-47291`**, a critical **HTTP.sys** remote code execution vulnerability with a **CVSS 9.8** score that can be exploited remotely without authentication or user interaction by sending a specially crafted packet to a server using the Windows HTTP Protocol Stack. Microsoft said systems using the default `MaxRequestBytes` setting are not affected, but warned that servers with higher values may be vulnerable and advised administrators to set the registry value to a safe level and restart the HTTP service or host until patches are applied. Cisco Talos published Snort coverage for many of the newly disclosed flaws, while separate reporting also highlighted one actively exploited zero-day in Microsoft Defender and additional high-risk issues in Hyper-V, DHCP Client, Secure Boot, and UEFI components.
Jun 19, 2026