CVE-2025-24035 Overview
CVE-2025-24035 is a critical remote code execution vulnerability in Windows Remote Desktop Services (RDS) that stems from sensitive data storage in improperly locked memory. This vulnerability allows an unauthorized attacker to execute arbitrary code over a network without requiring authentication or user interaction, though exploitation requires high attack complexity.
The vulnerability is classified under CWE-591 (Sensitive Data Storage in Improperly Locked Memory), indicating that sensitive data is stored in memory that is not properly locked, potentially allowing attackers to access or manipulate this data to achieve code execution. Given the widespread deployment of Remote Desktop Services in enterprise environments, this vulnerability poses a significant risk to organizations relying on remote access infrastructure.
Critical Impact
Successful exploitation enables remote code execution on Windows systems running Remote Desktop Services, potentially allowing complete system compromise without authentication. The network attack vector combined with no privilege requirements makes this a high-priority patching target.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 22H2, 23H2, 24H2)
- Microsoft Windows Server 2008 SP2 and R2 SP1
- Microsoft Windows Server 2012 and R2
- Microsoft Windows Server 2016
- Microsoft Windows Server 2019
- Microsoft Windows Server 2022 and 23H2
- Microsoft Windows Server 2025
Discovery Timeline
- March 11, 2025 - CVE-2025-24035 published to NVD
- July 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-24035
Vulnerability Analysis
This vulnerability exists within the Windows Remote Desktop Services component, specifically in how sensitive data is handled in memory. The flaw involves improper memory locking mechanisms that fail to adequately protect sensitive data during RDS session handling. When memory containing sensitive information is not properly locked, it becomes susceptible to race conditions or memory manipulation attacks that can lead to arbitrary code execution.
Remote Desktop Services is a core Windows component that enables remote access to systems and is extensively used in enterprise environments for server administration, virtual desktop infrastructure (VDI), and remote work scenarios. The vulnerability's network-accessible nature without requiring authentication makes it particularly dangerous for internet-exposed RDP services.
The attack complexity is considered high, indicating that successful exploitation requires specific conditions to be met or involves sophisticated techniques. Despite this complexity barrier, the potential for unauthenticated remote code execution with full system privileges makes this a serious threat that warrants immediate attention.
Root Cause
The root cause of CVE-2025-24035 lies in the improper handling of memory locking for sensitive data within the Remote Desktop Services implementation. CWE-591 describes a scenario where data that should be protected in locked memory pages (preventing it from being swapped to disk or accessed by unauthorized processes) is instead stored in improperly locked or unlocked memory regions.
In the context of RDS, this could involve session credentials, encryption keys, or other security-critical data that, when exposed through improper memory management, can be leveraged by an attacker to bypass security controls and execute malicious code. The failure to properly lock sensitive memory allows potential memory manipulation or race condition attacks that can alter program execution flow.
Attack Vector
The attack vector for this vulnerability is network-based, meaning exploitation occurs remotely over the network through the Remote Desktop Protocol (RDP), typically on TCP port 3389. An attacker does not require prior authentication or any privileges on the target system to attempt exploitation.
The attack scenario involves an attacker sending specially crafted RDP traffic to a vulnerable Windows system with Remote Desktop Services enabled. By exploiting the improper memory locking condition, the attacker can potentially manipulate sensitive data in memory to achieve code execution in the context of the RDS service, which typically runs with SYSTEM privileges.
While no user interaction is required, the high attack complexity suggests that exploitation may require precise timing, specific memory conditions, or multiple attempts to succeed. Organizations with RDP services exposed to the internet are at the highest risk, though internal network exposure also presents significant danger from lateral movement scenarios.
Detection Methods for CVE-2025-24035
Indicators of Compromise
- Unusual RDP connection attempts or malformed RDP traffic patterns targeting port 3389
- Unexpected process spawning from svchost.exe or RDS-related processes (termsrv.dll)
- Memory access violations or crash dumps in Remote Desktop Services components
- Suspicious network traffic patterns indicating exploitation attempts against RDP services
Detection Strategies
- Deploy network intrusion detection rules to identify malformed or anomalous RDP protocol traffic
- Monitor Windows Event Logs for RDS service crashes, unexpected restarts, or authentication anomalies (Event IDs 4624, 4625, and Terminal Services logs)
- Implement endpoint detection to identify suspicious process behavior from RDS service hosts
- Use SentinelOne's behavioral AI to detect post-exploitation activities following RDS compromise
Monitoring Recommendations
- Enable verbose logging for Remote Desktop Services and review logs regularly for anomalies
- Monitor network traffic to and from RDP services for unusual patterns or connection volumes
- Implement Security Information and Event Management (SIEM) correlation rules for RDP-related security events
- Deploy network segmentation monitoring to detect lateral movement attempts post-exploitation
How to Mitigate CVE-2025-24035
Immediate Actions Required
- Apply the Microsoft security update for CVE-2025-24035 immediately on all affected Windows systems
- Restrict RDP access to trusted IP addresses using firewall rules or Network Level Authentication (NLA)
- Disable Remote Desktop Services on systems where it is not required
- Implement network segmentation to limit exposure of RDP services to only necessary network segments
- Enable Network Level Authentication (NLA) as an additional layer of protection
Patch Information
Microsoft has released security updates addressing CVE-2025-24035 as part of their security update cycle. Organizations should obtain patches from the Microsoft Security Update Guide for CVE-2025-24035. The updates address the improper memory locking condition in Remote Desktop Services across all affected Windows versions.
System administrators should prioritize patching based on exposure level, with internet-facing RDP services receiving the highest priority. For environments requiring extensive testing before deployment, implement the workarounds listed below while preparing for patch deployment.
Workarounds
- Disable Remote Desktop Services (TermService) on systems where remote access is not required using services.msc or Group Policy
- Implement VPN or Remote Desktop Gateway requirements for all RDP access to add authentication layers
- Configure Windows Firewall to restrict RDP access to specific trusted IP ranges only
- Enable Network Level Authentication (NLA) to require authentication before a full RDP session is established
# Disable Remote Desktop Services via PowerShell
Stop-Service -Name TermService -Force
Set-Service -Name TermService -StartupType Disabled
# Configure Windows Firewall to restrict RDP access to specific IP range
New-NetFirewallRule -DisplayName "Restrict RDP Access" -Direction Inbound -LocalPort 3389 -Protocol TCP -RemoteAddress 10.0.0.0/24 -Action Allow
Set-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" -Enabled False
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
