Microsoft Remote Desktop Client Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability in Microsoft Remote Desktop Client could allow attackers to execute arbitrary code on victim systems. 

The vulnerability, designated as CVE-2025-48817, affects multiple versions of Windows and poses significant security risks for organizations that rely on Remote Desktop Protocol (RDP) connections.

Key Takeaways
1. CVE-2025-48817 enables remote code execution via Microsoft Remote Desktop Client (CVSS 8.8).
2. Malicious RDP servers execute code on connecting clients through a path traversal vulnerability.
3. Affects all Windows versions from Server 2008 to Windows 11 24H2.
4. Microsoft released fixes July 8, 2025 - apply security updates immediately.

Microsoft Remote Desktop Client Vulnerability

CVE-2025-48817 represents a relative path traversal vulnerability combined with improper access control mechanisms within Microsoft’s Remote Desktop Client infrastructure. 

The vulnerability has been assigned a CVSS score of 8.8 for base metrics and 7.7 for temporal metrics, classifying it as “Important” severity. 

The technical classification identifies two primary weakness categories: CWE-23 (Relative Path Traversal) and CWE-284 (Improper Access Control).

The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C indicates this is a network-based attack vector with low complexity requirements. 

Crucially, the vulnerability requires no privileges for exploitation but does necessitate user interaction. Upon successful exploitation, attackers can achieve high impact across confidentiality, integrity, and availability domains.

The exploitation mechanism relies on a man-in-the-middle attack scenario where malicious actors control a Remote Desktop Server. 

When victims connect to the compromised server using vulnerable Remote Desktop Client software, the relative path traversal flaw enables remote code execution (RCE) on the client machine. 

This attack vector is particularly concerning because it reverses the typical client-server security model, where clients generally trust servers.

The vulnerability requires an administrative user on the client system to initiate a connection to the malicious server. 

Once the connection is established, the path traversal weakness allows attackers to escape intended directory restrictions and execute arbitrary code with elevated privileges. 

Affected Systems and Security Updates

Microsoft has released comprehensive security updates addressing CVE-2025-48817 across its entire Windows ecosystem. 

The affected platforms span from legacy systems, including Windows Server 2008 and Windows 7, to current versions such as Windows 11 24H2 and Windows Server 2022. 

Specific build numbers for patched versions include 10.0.26100.4652 for Windows 11 24H2 and 10.0.22631.5624 for Windows 11 23H2.

The Remote Desktop client for Windows Desktop has been updated to version 1.2.6353.0, while the Windows App Client reaches version 2.0.559.0. 

Organizations should prioritize applying security updates KB5062553 and KB5062552, as well as related patches corresponding to their specific Windows versions. 

Microsoft has confirmed that the vulnerability is not currently being exploited in the wild, and no public disclosure has occurred, providing organizations with a critical window for remediation before potential widespread exploitation attempts.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now