CVE-2025-29967

Q: What is the severity of CVE-2025-29967?

CVE-2025-29967 has a CVSS score of 8.8 (HIGH). A heap-based buffer overflow vulnerability in Microsoft's Remote Desktop Gateway Service allows unauthenticated attackers to execute arbitrary code remotely over a network. This affects organizations using Remote Desktop Gateway for remote access. Attackers can potentially take full control of affected systems.

8.8 HIGH

Remote Code Execution Buffer Overflow

📋 TL;DR

A heap-based buffer overflow vulnerability in Microsoft's Remote Desktop Gateway Service allows unauthenticated attackers to execute arbitrary code remotely over a network. This affects organizations using Remote Desktop Gateway for remote access. Attackers can potentially take full control of affected systems.

💻 Affected Systems

Products:

Microsoft Remote Desktop Gateway

Versions: Specific versions to be determined from Microsoft advisory

Operating Systems: Windows Server with Remote Desktop Gateway role

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Remote Desktop Gateway Service enabled and accessible

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to domain takeover, data exfiltration, ransomware deployment, and lateral movement across the network.

🟠

Likely Case

Remote code execution leading to malware installation, credential theft, and persistent backdoor access to the compromised system.

🟢

If Mitigated

Limited impact due to network segmentation, strong authentication requirements, and proper access controls preventing exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Based on CVSS score and description, exploitation appears feasible but requires specific network access to the service

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: To be determined from Microsoft's security update

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29967

Restart Required: Yes

Instructions:

1. Check Microsoft's security advisory for the specific patch
2. Apply the latest Windows Server security update
3. Restart the Remote Desktop Gateway service or the entire server

🔧 Temporary Workarounds

Disable Remote Desktop Gateway Service

windows

Temporarily disable the vulnerable service if not required

Stop-Service -Name TSGateway -Force
Set-Service -Name TSGateway -StartupType Disabled

Network Access Restrictions

windows

Restrict network access to Remote Desktop Gateway ports (typically 443)

New-NetFirewallRule -DisplayName 'Block RDG' -Direction Inbound -LocalPort 443 -Protocol TCP -Action Block

🧯 If You Can't Patch

Implement strict network segmentation to isolate Remote Desktop Gateway servers
Require VPN access before allowing Remote Desktop Gateway connections

🔍 How to Verify

Check if Vulnerable:

Check if Remote Desktop Gateway Service is running and accessible on the network

Check Version:

Get-WindowsUpdateLog | Select-String -Pattern 'Security Update'

Verify Fix Applied:

Verify the latest Windows security update is installed and the service version matches patched version

📡 Detection & Monitoring

Log Indicators:

Unusual authentication failures in Remote Desktop Gateway logs
Multiple connection attempts from single IPs
Process creation events from TSGateway service

Network Indicators:

Unusual traffic patterns to port 443 on RDG servers
Large or malformed packets to RDG service

SIEM Query:

source='Windows Security' AND event_id=4625 AND process_name='TSGateway.exe'

📊 Metadata

CVE ID: CVE-2025-29967

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.83% exploit probability (74.2th percentile)

Published: May 13, 2025

Last Updated: May 19, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29967 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Remote Desktop Gateway Service

Network Access Restrictions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities