CVE-2024-49128: Windows Remote Desktop Services Remote Code Execution Vulnerability
Overview
- Severity
- High (CVSS 8.1)
- CVSS Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
- Category
- Remote Code Execution
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- Less Likely
- Patch Tuesday
- 2024-Dec
- Released
- 2024-12-10
- Last Updated
- 2025-05-13
- EPSS Score
- 0.28% (percentile: 51.5%)
Description
Sensitive data storage in improperly locked memory in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network.
FAQ
How could an attacker exploit this vulnerability?
An attacker could successfully exploit this vulnerability by attempting to connect to a system with the Remote Desktop Gateway role, triggering the race condition to create a use-after-free scenario, and then leveraging this to execute arbitrary code.
According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?
Successful exploitation of this vulnerability requires an attacker to win a race condition.
Affected Products (13)
Windows
- Windows Server 2019
- Windows Server 2019 (Server Core installation)
- Windows Server 2022
- Windows Server 2022 (Server Core installation)
- Windows Server 2025 (Server Core installation)
- Windows Server 2022, 23H2 Edition (Server Core installation)
- Windows Server 2025
- Windows Server 2016
- Windows Server 2016 (Server Core installation)
ESU
- Windows Server 2012
- Windows Server 2012 (Server Core installation)
- Windows Server 2012 R2
- Windows Server 2012 R2 (Server Core installation)
Security Updates (9)
Acknowledgments
<p>ʌ!ↄ⊥ojv with Kunlun Lab</p>
Revision History
- 2024-12-10: Information published.
- 2024-12-16: Updated acknowledgment. This is an informational change only.
- 2025-05-13: To comprehensively address CVE-2024-49128, Microsoft has released May 2025 security updates for all affected versions of Windows Server. Microsoft recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.