Microsoft has disclosed a significant vulnerability in Windows Remote Desktop Services (RDS) that could allow authorized attackers to escalate their privileges on affected systems.
Tracked as CVE-2025-60703, the flaw stems from an untrusted pointer dereference, a classic memory safety issue that has plagued software for years, and carries an “Important” severity rating from the company.
The vulnerability affects the core of Windows RDS, a widely used protocol for remote access to Windows machines. According to Microsoft’s advisory, an authorized local attacker could exploit this weakness to gain elevated privileges, potentially reaching SYSTEM-level access.
This means a user with standard credentials on a compromised machine could bypass security controls and execute arbitrary code with administrative rights.
While the issue requires local authentication, it poses a serious risk in multi-user environments, such as enterprise networks or shared servers, where insider threats or initial footholds (like through phishing) are common.
Technically, CVE-2025-60703 falls under CWE-822: Untrusted Pointer Dereference, where the software fails to validate a pointer before dereferencing it, leading to potential memory corruption.
Microsoft classifies the exploitability as “Unlikely” at this stage, with no public disclosure or evidence of active exploitation. The CVSS score, sourced directly from Microsoft, underscores its importance without escalating to Critical status, likely due to the local attack vector.
Affected versions span multiple Windows releases, including Windows 10, 11, and Server editions with RDS enabled components integral to remote work setups post-pandemic.
| Product | Affected Versions | Patched By (KB/Update) |
|---|---|---|
| Windows Server 2012 R2 | All versions before November 2025 ESU | KB5068905 (November 2025 security update) |
| Windows Server 2008 | All versions before November 2025 ESU | November 2025 ESU security update |
| Windows Server 2008 R2 | All ESU-eligible versions before update | November 2025 ESU cumulative update |
| Windows 7 ESU | All ESU-eligible versions before update | November 2025 ESU cumulative update |
| Windows 8.1 ESU | All ESU-eligible versions before update | November 2025 ESU cumulative update |
Microsoft urges immediate patching, with updates rolled out via Windows Update. Organizations relying on RDS for virtual desktop infrastructure (VDI) or remote administration should prioritize deployment.
As an added precaution, experts recommend enforcing least-privilege principles, monitoring for unusual privilege escalations, and segmenting networks to limit lateral movement.
This disclosure comes amid a surge in Windows-targeted threats, including recent zero-day vulnerabilities in other Microsoft products. While not yet weaponized, CVE-2025-60703 serves as a reminder of the enduring challenges in securing remote access protocols.
Security teams are advised to review Microsoft’s full advisory and test patches in staging environments to avoid disruptions.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
