BURSTA critical security vulnerability in Windows Remote Desktop Services, designated as CVE-2025-32710, which allows unauthorized attackers to execute arbitrary code remotely without authentication.
Released on June 10, 2025, this vulnerability affects multiple Windows Server versions and carries a CVSS score of 8.1, indicating high severity with potential for significant system compromise.
The flaw stems from a use-after-free condition combined with a race condition in the Remote Desktop Gateway service, enabling attackers to gain complete control over vulnerable systems through network-based exploitation.
Remote Desktop Services RCE Vulnerability
CVE-2025-32710 represents a sophisticated memory corruption vulnerability classified under two Common Weakness Enumeration (CWE) categories: CWE-416 (Use After Free) and CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization).
The vulnerability’s CVSS vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C indicates a network-based attack vector requiring high complexity but no privileges or user interaction.
The technical exploitation mechanism involves an attacker connecting to a system running the Remote Desktop Gateway role and triggering a race condition that creates a use-after-free scenario.
This memory corruption allows the attacker to manipulate freed memory regions, potentially leading to arbitrary code execution with system-level privileges.
The vulnerability’s attack complexity is rated as high because successful exploitation requires winning a race condition, making it challenging but not impossible for determined threat actors.
The impact assessment reveals maximum severity across all three security domains: confidentiality, integrity, and availability are all rated as “High.”
This means successful exploitation could result in complete system compromise, including unauthorized access to sensitive data, modification of system configurations, and potential denial of service conditions affecting business operations.
Security researchers SmallerDragon and ʌ!ɔ⊥ojv from Kunlun Lab are credited with discovering and responsibly disclosing this vulnerability through coordinated disclosure processes.
| Risk Factors | Details |
| Affected Products | Windows Server 2008 (both 32-bit and x64-based systems with Service Pack 2), Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and the latest Windows Server 2025 |
| Impact | Remote Code Execution |
| Exploit Prerequisites | Network access to RDP Gateway, exploitation of race condition in shared resource handling |
| CVSS 3.1 Score | 8.1 (High) |
Affected Systems and Security Updates
Microsoft has identified multiple Windows Server versions vulnerable to CVE-2025-32710, spanning from legacy systems to current releases.
The affected platforms include Windows Server 2008 (both 32-bit and x64-based systems with Service Pack 2), Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and the latest Windows Server 2025.
Each affected system version has received corresponding security updates with specific Knowledge Base (KB) numbers.
For instance, Windows Server 2025 receives updates KB5058411 and KB5058497, bringing the system to build version 10.0.26100.4061.
Windows Server 2022 systems require updates KB5058385 and KB5058500, updating to build 10.0.20348.3692. Legacy systems like Windows Server 2008 receive updates KB5061198 and KB5058429, reaching version 6.0.6003.23317.
The security updates are delivered through Microsoft’s standard patch distribution channels, including Windows Update, Windows Server Update Services (WSUS), and Microsoft Update Catalog.
Organizations using Server Core installations are equally affected and must apply the corresponding patches to maintain their security posture.
Despite the critical severity rating, Microsoft’s exploitability assessment categorizes this vulnerability as “Exploitation Less Likely” due to the high attack complexity requirements.
The vulnerability has not been publicly disclosed through other channels, and no active exploitation has been observed in the wild at the time of publication.
Organizations should prioritize the immediate deployment of the June 2025 security updates across all affected Windows Server installations.
Network segmentation and access controls should be implemented to limit Remote Desktop Services exposure to untrusted networks. Additionally, enabling Windows Defender or other endpoint protection solutions can provide additional layers of defense against potential exploitation attempts.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
The post Windows Remote Desktop Services Vulnerability Allows Remote Code Execution appeared first on Cyber Security News.