A critical security flaw in Microsoft Remote Desktop Client, identified as CVE-2025-48817, could enable attackers to execute arbitrary code on targeted systems.
This vulnerability impacts various Windows versions and presents serious security risks for organizations that depend on Remote Desktop Protocol (RDP) for remote access.
Key Takeaways:
- Remote Code Execution Vulnerability (CVE-2025-48817): Rated CVSS 8.8, this flaw allows attackers to execute remote code via Microsoft Remote Desktop Client.
- Exploitation via Malicious RDP Servers: Attackers can exploit a path traversal vulnerability to run code on clients that connect to compromised RDP servers.
- Wide Impact: Affects all supported Windows versions—from Windows Server 2008 through Windows 11 24H2.
- Patch Available: Microsoft released security updates on July 8, 2025—users are strongly urged to apply them immediately.
Microsoft Remote Desktop Client Vulnerability
CVE-2025-48817 is a relative path traversal vulnerability compounded by inadequate access control within Microsoft’s Remote Desktop Client infrastructure. This flaw allows malicious RDP servers to exploit the client-side application, potentially leading to remote code execution on the victim’s system.
The vulnerability has been assigned a CVSS score of 8.8 (base) and 7.7 (temporal), categorizing it as a security issue of “Important” severity.
Technically, it falls under two primary weakness classes:
- CWE-23: Relative Path Traversal
- CWE-284: Improper Access Control
These combined weaknesses enable attackers to bypass normal restrictions and potentially execute unauthorized code on affected systems.
The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C indicates that this vulnerability uses a network-based attack vector with low complexity and requires no privileges for exploitation, but it does require user interaction.
Once successfully exploited, attackers can achieve high impact on confidentiality, integrity, and availability. The attack mechanism relies on a man-in-the-middle scenario where malicious actors control a compromised Remote Desktop Server.
When victims connect to this rogue server via vulnerable Remote Desktop Client software, the relative path traversal flaw allows the attackers to execute remote code execution (RCE) on the client machine. This is especially concerning as it reverses the typical client-server trust model, where clients usually trust servers.
The vulnerability requires an administrative user on the client system to initiate the connection to the malicious server. Once the connection is made, the path traversal weakness enables attackers to bypass directory restrictions and execute arbitrary code, often with elevated privileges.
| Risk Factors | Details |
| Affected Products | – Windows Server 2008/2008 R2/2012/2012 R2- Windows Server 2016/2019/2022/2025- Windows 10 (all versions from 1607 to 22H2)- Windows 11 (22H2, 23H2, 24H2)- Remote Desktop Client for Windows Desktop- Windows App Client for Windows Desktop |
| Impact | Remote Code Execution (RCE) |
| Exploit Prerequisites | – Administrative user on client system- User interaction required- Connection to malicious RDP server- Network access- No privileges required on server side |
| CVSS 3.1 Score | 8.8 (Important) |
Affected Systems and Security Updates
Microsoft has issued comprehensive security updates to address CVE-2025-48817 across its entire Windows ecosystem.
The vulnerability affects a wide range of platforms, from legacy systems like Windows Server 2008 and Windows 7 to the most recent releases, including Windows 11 24H2 and Windows Server 2022. Organizations using any of these versions are strongly advised to apply the updates immediately to mitigate the risk of exploitation.
Microsoft has released patched builds addressing CVE-2025-48817, including build 10.0.26100.4652 for Windows 11 24H2 and build 10.0.22631.5624 for Windows 11 23H2. In addition, the Remote Desktop Client for Windows Desktop has been updated to version 1.2.6353.0, while the Windows App Client has been updated to version 2.0.559.0.
Organizations are strongly urged to prioritize deployment of security updates KB5062553 and KB5062552, along with any related patches applicable to their specific Windows versions. Prompt action is essential to mitigate the risk of remote code execution stemming from this vulnerability.
Microsoft has confirmed that CVE-2025-48817 is not currently being exploited in the wild, and no public disclosure of the vulnerability has occurred to date. This provides organizations with a critical window of opportunity to apply the necessary security updates and mitigate the risk before potential widespread exploitation begins. Prompt remediation is strongly recommended to stay ahead of any future threat activity targeting this flaw.
Leave A Comment