CVE-2025-21309

High

Published: 14 January 2025

Published

14 January 2025

Modified

24 January 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0253 85.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Windows Remote Desktop Services Remote Code Execution Vulnerability

Security Summary

CVE-2025-21309 is a Remote Code Execution vulnerability in Windows Remote Desktop Services. Published on 2025-01-14T18:15:54.210, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-591 as well as NVD-CWE-noinfo.

Unauthenticated remote attackers can exploit this vulnerability over the network, though it requires high attack complexity and no user interaction. Successful exploitation enables remote code execution with high impacts on confidentiality, integrity, and availability within the affected scope.

The Microsoft Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21309 details available patches and mitigation recommendations.

Details

CWE(s): CWE-591NVD-CWE-noinfo

Affected Products

microsoft

windows server 2012

all versions, r2

microsoft

windows server 2016

≤ 10.0.14393.7699

microsoft

windows server 2019

≤ 10.0.17763.6775

microsoft

windows server 2022

≤ 10.0.20348.3091

microsoft

windows server 2022 23h2

≤ 10.0.25398.1369

microsoft

windows server 2025

≤ 10.0.26100.2894

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21309
Patch, Vendor Advisory · secure@microsoft.com