**Microsoft Patches Critical Remote Desktop Flaws**

Microsoft has patched two critical vulnerabilities in its Remote Desktop services that could allow attackers to execute malicious code remotely, the company said in its May 2025 Patch Tuesday release. The flaws—tracked as CVE-2025-29966 and CVE-2025-29967—affect the Remote Desktop Client and Gateway Service. Both are heap-based buffer overflow vulnerabilities with high CVSS scores, enabling remote code execution when a user connects to a malicious server.

Microsoft noted that attackers could exploit the vulnerabilities by taking control of a Remote Desktop Server and targeting unpatched clients. While no active exploitation has been reported, the company labeled the flaws as “Exploitation Less Likely.” Still, experts warn the risks remain serious given previous interest in Remote Desktop exploits.

The vulnerabilities impact multiple Windows versions, and Microsoft urges immediate patching. Updates are available via Windows Update, WSUS, and the Microsoft Update Catalog. For unpatched systems, experts recommend restricting Remote Desktop access to trusted sources.