CVE-2025-66576 Overview
CVE-2025-66576 affects Remote Keyboard Desktop version 1.0.1, a Windows application distributed through the Microsoft Store by Remote Control I/O. The vulnerability allows unauthenticated remote attackers to execute arbitrary system commands by abusing the application's handling of the rundll32.exe exported function interface. Attackers reach the vulnerable code path over the network without credentials or user interaction. The flaw is categorized under CWE-78 (OS Command Injection).
Critical Impact
Unauthenticated remote attackers can execute arbitrary operating system commands on hosts running Remote Keyboard Desktop 1.0.1, gaining full control of the affected Windows system.
Affected Products
- Remote Control I/O Remote Keyboard Desktop 1.0.1 (Windows)
- Distribution via the Microsoft Store package 9N0JW8V5SC9M
- Any Windows host running the vulnerable build with the listener exposed on the network
Discovery Timeline
- 2025-12-04 - CVE-2025-66576 published to the National Vulnerability Database
- 2025-12-17 - Last updated in NVD database
Technical Details for CVE-2025-66576
Vulnerability Analysis
Remote Keyboard Desktop 1.0.1 exposes a network listener that accepts input from a paired remote client. The application processes attacker-supplied input by invoking rundll32.exe and passing the data to an exported function. Because the input is not sanitized before reaching the command execution layer, attackers inject operating system commands that the host executes with the privileges of the running application. The exploitation requires no authentication, no user interaction, and no prior access to the targeted machine, which raises its risk profile for any system exposing the service to untrusted networks. A public proof-of-concept is referenced through Exploit-DB #52299 and the VulnCheck Remote Code Execution Advisory.
Root Cause
The root cause is improper neutralization of special elements used in an OS command [CWE-78]. The application passes network-controlled strings into a rundll32.exe invocation without validating or escaping the arguments. This pattern transforms remote keyboard input messages into a direct command execution primitive.
Attack Vector
The attack vector is Network. An attacker who can reach the listening port crafts a malicious message that triggers the rundll32.exe dispatch path. The injected command runs in the context of the Remote Keyboard Desktop process, enabling persistence, lateral movement, or credential theft. No authentication challenge gates the exposed interface.
No verified exploit code is reproduced here. Refer to the public advisories listed above for technical details and proof-of-concept artifacts.
Detection Methods for CVE-2025-66576
Indicators of Compromise
- Unexpected child processes of the Remote Keyboard Desktop application, particularly rundll32.exe spawning cmd.exe, powershell.exe, or scripting hosts
- Inbound network connections to the Remote Keyboard Desktop listener from untrusted source addresses
- Creation of unfamiliar scheduled tasks, services, or files in %TEMP% and %APPDATA% shortly after Remote Keyboard Desktop receives traffic
Detection Strategies
- Hunt for process chains where the Remote Keyboard Desktop binary is the parent of rundll32.exe followed by shell or LOLBin execution
- Inspect command-line arguments passed to rundll32.exe for inline OS commands or paths outside the application installation directory
- Correlate Microsoft Store application telemetry with EDR process events to flag anomalous executions of package 9N0JW8V5SC9M
Monitoring Recommendations
- Enable command-line logging (Windows Event ID 4688 with audit process creation) and Sysmon Event ID 1 across endpoints running the application
- Forward EDR and Sysmon telemetry to a centralized analytics platform and alert on rundll32.exe executions launched from non-system parent processes
- Monitor host firewall logs for inbound connections to ports bound by Remote Keyboard Desktop and alert on connections from non-corporate ranges
How to Mitigate CVE-2025-66576
Immediate Actions Required
- Uninstall Remote Keyboard Desktop 1.0.1 from all Windows endpoints until a patched build is published by Remote Control I/O
- Block inbound traffic to the application's listening port at the host and perimeter firewalls
- Audit endpoints for the Microsoft Store package 9N0JW8V5SC9M and remove it from systems where the functionality is not required
Patch Information
No vendor patch is referenced in the advisories at the time of publication. Consult the VulnCheck Remote Code Execution Advisory and the Microsoft App Details page for vendor updates. Remove the affected version from production use until a fixed release is available.
Workarounds
- Run the application only on isolated networks where the listener is not reachable from untrusted hosts
- Apply Windows Defender Application Control or AppLocker policies to block execution of the 9N0JW8V5SC9M package on managed endpoints
- Restrict rundll32.exe invocations from non-system parent processes using attack surface reduction rules where compatible with business workflows
# Configuration example: remove the affected Microsoft Store package on Windows
Get-AppxPackage -AllUsers | Where-Object { $_.PackageFamilyName -like "*9N0JW8V5SC9M*" } | Remove-AppxPackage
# Block inbound traffic to the application (adjust port as required)
New-NetFirewallRule -DisplayName "Block Remote Keyboard Desktop" -Direction Inbound -Action Block -Program "%ProgramFiles%\WindowsApps\RemoteKeyboardDesktop*\RemoteKeyboardDesktop.exe"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

