A critical remote code execution vulnerability in Microsoft’s Remote Desktop Gateway (RD Gateway) got disclosed in March 2025. It affects Windows Server systems running the RD Gateway role and allows unauthenticated attackers to remotely execute arbitrary code without user interaction. Given RD Gateway’s role as a secure bridge for remote desktop access in enterprise environments, this flaw is considered highly dangerous, especially in internet-facing deployments. Microsoft assigned a high severity rating (CVSS 8.1) and released security updates to address the issue. Attackers exploiting this vulnerability could gain control of affected servers, making prompt remediation essential.
The found security vulnerability in Microsoft’s Remote Desktop Gateway (RD Gateway) allows remote users to securely connect to internal systems. The problem lies in how RD Gateway handles multiple incoming connection requests. Specifically, the issue comes from a race condition a situation where two parts of the system try to access or modify the same piece of memory at the same time, without properly coordinating their actions.
When someone connects to the gateway, RD Gateway sets up a temporary session in memory to track that user’s login and communication. If multiple connection attempts happen in quick succession which a hacker can simulate by flooding the server there is a chance the software gets confused. One part of the program might delete a session that another part is still using. This results in what is called a use-after-free error, where the system continues to use memory that has already been cleared or reassigned. That opens the door for attackers to sneak in malicious code.
By carefully timing and structuring their connection attempts, attackers can trick the server into behaving unpredictably. In successful cases, they can inject and run their own code, effectively taking control of the system. What makes this particularly dangerous is that the attacker does not need a valid login they can do this from anywhere on the internet, without any prior access.
Security researchers have demonstrated that it is possible to exploit this bug reliably by sending a flood of specially crafted requests that increase the chances of the race condition triggering. Once successful, the attacker can gain the same level of access as the RD Gateway service itself, which typically runs with powerful system privileges. From there, they could install backdoors, steal sensitive data, or use the compromised machine as a launch point for further attacks inside the network.
Behind the scenes, what they are doing is manipulating how Windows manages memory specifically how it allocates and reuses chunks of memory (called the heap). By spraying the memory with fake data, they can increase the odds that their malicious code lands exactly where the system will look after freeing up a session pointer.
The vulnerability is especially troubling because it affects default installations of RD Gateway. No special configuration is needed to be vulnerable. Also, since the exploit happens deep in the system’s communication layer, traditional antivirus or endpoint detection systems may not notice anything out of the ordinary unless they are specifically tuned for this kind of behavior.
Microsoft addressed the issue in their March 2025 security update by adding proper safeguards around session handling. This includes better locking mechanisms and stricter controls on how and when memory is freed essentially teaching the system not to trip over its own feet when handling multiple requests at once.
If exploited, CVE-2025-21297 can give attackers complete control over affected systems. This includes:
As RD Gateway often serves as an entry point into secured environments, compromising it can effectively bypass external perimeter defenses. For enterprises relying on RD Gateway for remote work access, a successful attack could lead to network-wide compromise.
The risk is especially high in organizations with publicly exposed RD Gateway servers that have not applied recent updates. Exploits require no authentication and leave few traces in traditional endpoint logs, making detection difficult unless network behavior is closely monitored. Attackers may use this vulnerability to silently establish long-term access, exfiltrate data, or deploy ransomware across enterprise environments.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21297
