Cybersecurity expert Abu Bakr Bastama: 'RD Gateway vulnerability could grant attackers full access'

Critical vulnerability in Microsoft's RD Gateway component
Microsoft’s Remote Desktop Gateway (RD Gateway), a remote desktop access service, is under serious threat due to a newly discovered vulnerability, CVE-2025-21297. The vulnerability, identified by security researchers, allows attackers to execute malicious code by corrupting system memory via a race condition during server startup.
 
Technical details and attack vector
The vulnerability in question is caused by a use-after-free (UAF) error in the CTsgMsgServer::GetCTsgMsgServerInstance function in the aaedge.dll component. When multiple threads simultaneously access this function during RD Gateway startup, this leads to incorrect rewriting of the m_pMsgSvrInstance pointer due to lack of synchronization. This can lead to memory corruption and allow attackers to manipulate this process to execute code remotely.
 
Abu Bakr Bastama: 'Server control may fall into the hands of the attacker'
Cybersecurity researcher Ebubekir Bastama drew attention to the seriousness of the security vulnerability and made the following statements:
"If such vulnerabilities are not addressed quickly, they can have devastating effects, especially on large systems. A vulnerability such as CVE-2025-21297, when exploited, can give an attacker full control over the RD Gateway server. This poses a serious threat to corporate systems.
 
Extent of risk and affected systems
The vulnerability is categorized as 'high' risk with a CVSS score of 8.1. Exploitation of the vulnerability involves a complex process involving 9-step heap collisions, but if the attack is successful, it can take complete control of the RD Gateway servers. The vulnerability affects the following Windows Server versions:
 
    Windows Server 2016
 
    Windows Server 2019
 
    Windows Server 2022
 
    Windows Server 2025
    (Including Core and Standard structures)
 
Corporate networks are under threat
This vulnerability is critical because RD Gateway is used to provide secure remote access to corporate networks. If exploited, unauthorized access to the corporate network could be gained and serious security breaches such as data leakage or system crashes could occur.
 
Security updates from Microsoft
Microsoft has released several security updates to address the vulnerability as of May 2025. The relevant patch codes for the affected systems are as follows:
 
    Windows Server 2016 → KB5050011
 
    Windows Server 2019 → KB5050008
 
    Windows Server 2022 → KB5049983
 
    Windows Server 2025 → KB5050009
 
Urgent call to action for institutions
Experts recommend that users immediately apply the relevant patches and allow access to RD Gateway systems only to trusted IP addresses. It is also stated that RD Gateway logs should be reviewed regularly for unusual activity.
 
 
Source: CUMHA - CUMHURS NEWS AGENCY