Cyber Posture

CVE-2025-24035

High

Published: 11 March 2025

Published
11 March 2025
Modified
03 July 2025
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 36.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

Security Summary

CVE-2025-24035 is a high-severity vulnerability (CVSS 8.1) involving sensitive data storage in improperly locked memory within Windows Remote Desktop Services. Published on March 11, 2025, it stems from CWE-591 and enables an unauthorized attacker to execute code over a network by exploiting this memory handling flaw.

An attacker with network access can exploit this vulnerability without privileges or user interaction, though it requires high attack complexity. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, allowing arbitrary code execution on the targeted system.

Microsoft's Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24035 provides details on patches and mitigation guidance for affected Windows Remote Desktop Services instances.

Details

CWE(s)
CWE-591

Affected Products

microsoft
windows 10 1507
≤ 10.0.10240.20947 · ≤ 10.0.10240.20947
microsoft
windows 10 1607
≤ 10.0.14393.7876 · ≤ 10.0.14393.7876
microsoft
windows 10 1809
≤ 10.0.17763.7009 · ≤ 10.0.17763.7009
microsoft
windows 10 21h2
≤ 10.0.19044.5608
microsoft
windows 10 22h2
≤ 10.0.19045.5608
microsoft
windows 11 22h2
≤ 10.0.22621.5039
microsoft
windows 11 23h2
≤ 10.0.22631.5039
microsoft
windows 11 24h2
≤ 10.0.26100.3403
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
+5 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

The vulnerability enables unauthenticated remote code execution in Windows Remote Desktop Services over a network, directly mapping to exploitation of public-facing applications and remote services for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References