Windows Servers Exposed to Critical RDP Code Flaw

A critical vulnerability in Microsoft’s Remote Desktop Services, tracked as CVE-2025-32710, could allow unauthenticated attackers to execute arbitrary code remotely, the company disclosed on June 10. The flaw, rated 8.1 on the CVSS scale, affects a broad range of Windows Server versions from 2008 through 2025.

The bug stems from a use-after-free condition combined with a race condition in the Remote Desktop Gateway. Exploiting the flaw requires network access but not user interaction or privileges, potentially giving attackers full control over targeted systems.

Microsoft said exploitation is “less likely” due to the technical complexity of the attack. Still, the impact is high across confidentiality, integrity and availability domains.

Security patches are available for all affected server editions, including updates via Windows Update, WSUS and the Microsoft Update Catalog. Organizations are urged to apply fixes immediately and implement network segmentation and endpoint protections to reduce exposure. No in-the-wild exploitation has been observed.