Cyber Posture

CVE-2025-21309

High

Published: 14 January 2025

Published
14 January 2025
Modified
24 January 2025
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0232 84.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21309 is a high-severity Sensitive Data Storage in Improperly Locked Memory (CWE-591) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-17 (Remote Access).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly addresses the RCE vulnerability by requiring timely remediation through application of vendor patches for Windows Remote Desktop Services.

SC-7 Boundary Protection partial match
prevent

Provides boundary protection to restrict network access to vulnerable RDS ports, limiting remote exploitation opportunities.

AC-17 Remote Access partial match
preventdetect

Controls and monitors remote access usage for RDS services, reducing unauthorized exposure and enabling detection of anomalous connections.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

CVE enables unauthenticated network RCE in Windows Remote Desktop Services, directly mapping to exploitation of public-facing applications (T1190) and remote services (T1210) for initial access or lateral movement.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Windows Remote Desktop Services Remote Code Execution Vulnerability

Deeper analysisAI

CVE-2025-21309 is a Remote Code Execution vulnerability in Windows Remote Desktop Services. Published on 2025-01-14T18:15:54.210, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-591 as well as NVD-CWE-noinfo.

Unauthenticated remote attackers can exploit this vulnerability over the network, though it requires high attack complexity and no user interaction. Successful exploitation enables remote code execution with high impacts on confidentiality, integrity, and availability within the affected scope.

The Microsoft Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21309 details available patches and mitigation recommendations.

Details

CWE(s)
CWE-591NVD-CWE-noinfo

Affected Products

microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.7699
microsoft
windows server 2019
≤ 10.0.17763.6775
microsoft
windows server 2022
≤ 10.0.20348.3091
microsoft
windows server 2022 23h2
≤ 10.0.25398.1369
microsoft
windows server 2025
≤ 10.0.26100.2894

CVEs Like This One

CVE-2025-24045Same product: Microsoft Windows Server 2012
CVE-2025-54106Same product: Microsoft Windows Server 2012
CVE-2025-49735Same product: Microsoft Windows Server 2012
CVE-2025-24035Same product: Microsoft Windows Server 2012
CVE-2025-49729Same product: Microsoft Windows Server 2012
CVE-2025-49663Same product: Microsoft Windows Server 2012
CVE-2025-47998Same product: Microsoft Windows Server 2012
CVE-2025-49753Same product: Microsoft Windows Server 2012
CVE-2025-49668Same product: Microsoft Windows Server 2012
CVE-2025-49669Same product: Microsoft Windows Server 2012

References