CVE-2024-38015 Overview
CVE-2024-38015 is a denial-of-service vulnerability affecting the Windows Remote Desktop Gateway (RD Gateway) role on multiple Microsoft Windows Server versions. The flaw allows an unauthenticated remote attacker to disrupt RD Gateway availability by sending crafted network traffic to the service. Microsoft tracks the issue under [CWE-400] (Uncontrolled Resource Consumption), indicating the service can be driven into an exhausted state and stop processing legitimate sessions. Because RD Gateway is commonly exposed to the internet to broker remote desktop sessions, a successful attack can sever administrative and end-user access to internal Windows hosts.
Critical Impact
An unauthenticated attacker on the network can disrupt RD Gateway availability, blocking remote desktop access to backend Windows resources.
Affected Products
- Microsoft Windows Server 2012 and 2012 R2
- Microsoft Windows Server 2016 and 2019
- Microsoft Windows Server 2022 and Windows Server 2022 23H2
Discovery Timeline
- 2024-07-09 - CVE-2024-38015 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-38015
Vulnerability Analysis
The vulnerability resides in the Windows Remote Desktop Gateway role, a service that tunnels Remote Desktop Protocol (RDP) sessions over HTTPS for remote users. RD Gateway listens on TCP/443 and processes session-establishment traffic before authentication completes. The defect, classified as [CWE-400] Uncontrolled Resource Consumption, lets attacker-supplied input drive the service into a resource-exhausted state. The result is loss of availability for the RD Gateway role and any remote desktop sessions that depend on it. The vulnerability does not provide code execution, information disclosure, or integrity impact, but RD Gateway outages typically break administrative access paths for distributed Windows environments.
Root Cause
Microsoft has not published low-level technical details. Based on the [CWE-400] classification, the root cause is improper bounding of a resource consumed during connection processing on the RD Gateway service. Repeated or malformed requests cause the gateway to exhaust memory, threads, handles, or similar resources and stop servicing new sessions.
Attack Vector
The attack is performed over the network and requires no authentication or user interaction. An attacker who can reach the RD Gateway listener — typically TCP/443 on an internet-exposed host — can send crafted traffic that triggers the resource exhaustion condition. Because organizations frequently publish RD Gateway directly to the internet, the exposed attack surface is broad. EPSS data places the probability of exploitation in the top tier of tracked CVEs, reflecting the accessibility of the listener and the simplicity of denial-of-service techniques against it.
No verified public proof-of-concept code is available. See the Microsoft Security Update Guide for CVE-2024-38015 for vendor-supplied technical context.
Detection Methods for CVE-2024-38015
Indicators of Compromise
- Abrupt termination or repeated restart of the TSGateway service on RD Gateway hosts.
- Spikes in TCP/443 connections to the RD Gateway from a small number of external source IPs followed by service unresponsiveness.
- Operational and Admin events from the Microsoft-Windows-TerminalServices-Gateway event log channels indicating session failures, dropped requests, or worker process crashes.
Detection Strategies
- Correlate Windows Event Log entries for the RD Gateway service with sudden drops in successful session establishment counts.
- Monitor performance counters for the RD Gateway role, including active connections, pending sessions, and worker process memory, for anomalous growth followed by collapse.
- Inspect perimeter telemetry for unusual connection patterns or malformed TLS/HTTPS handshakes targeting the RD Gateway endpoint.
Monitoring Recommendations
- Alert on RD Gateway service restarts and on Service Control Manager events for TSGateway outside of patch windows.
- Track external source IPs generating high connection rates to RD Gateway and feed them into network blocklists.
- Forward RD Gateway operational logs to a centralized log platform and retain them long enough to investigate availability incidents.
How to Mitigate CVE-2024-38015
Immediate Actions Required
- Apply the Microsoft July 2024 security update for every affected Windows Server version running the RD Gateway role.
- Inventory all internet-facing RD Gateway instances and prioritize patching those exposed on TCP/443.
- Restrict inbound access to RD Gateway listeners to known client networks or VPN ranges until patches are deployed.
Patch Information
Microsoft released fixes for CVE-2024-38015 as part of the July 2024 Patch Tuesday cycle. Updates are available for Windows Server 2012, 2012 R2, 2016, 2019, 2022, and Windows Server 2022 23H2 via Windows Update, WSUS, and the Microsoft Update Catalog. Refer to the Microsoft Security Update Guide for CVE-2024-38015 for KB article numbers per platform.
Workarounds
- Place RD Gateway behind a reverse proxy or VPN that authenticates clients before traffic reaches the gateway listener.
- Enforce IP allow-listing on the perimeter firewall so only trusted networks can reach TCP/443 on the gateway.
- Enable rate limiting and connection thresholds at the network edge to blunt high-volume connection floods against the service.
# Example: restrict inbound TCP/443 to RD Gateway using Windows Firewall
New-NetFirewallRule -DisplayName "RDGW-Allow-TrustedNets" `
-Direction Inbound -Protocol TCP -LocalPort 443 `
-RemoteAddress 203.0.113.0/24,198.51.100.0/24 -Action Allow
New-NetFirewallRule -DisplayName "RDGW-Block-All-Others" `
-Direction Inbound -Protocol TCP -LocalPort 443 `
-Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
