adminA newly discovered vulnerability in Microsoft’s Remote Desktop Gateway (RD Gateway) service allows remote code execution on Windows Server systems — and it’s already being exploited in the wild.
Tracked as CVE-2025-21297, this use-after-free (UAF) flaw stems from improper synchronization during RD Gateway initialization. If unpatched, it could allow attackers to take full control of systems by triggering a race condition across concurrent socket connections.
What Is the RD Gateway UAF Vulnerability?
The vulnerability resides in aaedge.dll, specifically in the function CTsgMsgServer::GetCTsgMsgServerInstance. During startup, multiple threads can simultaneously modify a global pointer, corrupting memory and leading to arbitrary code execution.
Attackers exploit this timing issue by flooding the gateway with multiple connections, eventually executing malicious code in the system’s memory space.
Affected Windows Server Versions
The following versions are vulnerable if they use RD Gateway for remote access:
- Windows Server 2016 (Core & Standard)
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
Microsoft released patches in May 2025 Patch Tuesday, adding mutex-based locking to prevent simultaneous initialization:
| Version | Security Patch |
|---|---|
| Server 2016 | KB5050011 |
| Server 2019 | KB5050008 |
| Server 2022 | KB5049983 |
| Server 2025 | KB5050009 |
Exploitation & Security Risk
Successful exploitation requires:
- Access to an RD Gateway
- Launching concurrent socket connections
- Triggering heap collisions to hijack freed memory
The CVSS score of 8.1 reflects the high severity of this vulnerability. Remote attackers can gain full control of affected systems with minimal interaction.
Vpnymous Insight: Secure Remote Access Starts with Privacy
When vulnerabilities strike enterprise access points like RD Gateway, secure tunneling becomes your first line of defense. At Vpnymous, we help protect your connections — whether you’re an IT admin or remote worker — with advanced, private VPN solutions.
- Buy VPN with crypto — no ID, no tracking
- Use open-source VPN clients — built for transparency
- Stay invisible online — zero logs, full encryption
