Cyber Resilience

CVE-2025-21309

High

Published: 14 January 2025

Published
14 January 2025
Modified
24 January 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0243 85.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21309 is a high-severity Sensitive Data Storage in Improperly Locked Memory (CWE-591) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-17 (Remote Access).

Deeper analysis

Windows Remote Desktop Services contains a remote code execution vulnerability tracked as CVE-2025-21309. The flaw affects the Remote Desktop Services component in Windows and carries a CVSS 3.1 base score of 8.1 with the vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network-reachable code execution with high impact on confidentiality, integrity, and availability.

An unauthenticated attacker can exploit the issue over the network without user interaction, although the attack complexity is rated high. Successful exploitation grants the ability to execute arbitrary code with the privileges of the Remote Desktop Services process, potentially leading to full system compromise.

The single reference points to the Microsoft Security Response Center advisory page for CVE-2025-21309, which is the authoritative source for patch availability and mitigation guidance. The associated EPSS score remains low, moving only from 0.0243 to a peak of 0.0253 with no material increase after disclosure.

EU & UK References

Vulnerability details

Windows Remote Desktop Services Remote Code Execution Vulnerability

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

CVE enables unauthenticated network RCE in Windows Remote Desktop Services, directly mapping to exploitation of public-facing applications (T1190) and remote services (T1210) for initial access or lateral movement.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24045Same product: Microsoft Windows Server 2012
CVE-2025-54106Same product: Microsoft Windows Server 2012
CVE-2025-49735Same product: Microsoft Windows Server 2012
CVE-2025-24035Same product: Microsoft Windows Server 2012
CVE-2025-48824Same product: Microsoft Windows Server 2012
CVE-2025-49729Same product: Microsoft Windows Server 2012
CVE-2025-54113Same product: Microsoft Windows Server 2012
CVE-2025-49672Same product: Microsoft Windows Server 2012
CVE-2025-47998Same product: Microsoft Windows Server 2012
CVE-2025-49668Same product: Microsoft Windows Server 2012

Affected Assets

microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.7699
microsoft
windows server 2019
≤ 10.0.17763.6775
microsoft
windows server 2022
≤ 10.0.20348.3091
microsoft
windows server 2022 23h2
≤ 10.0.25398.1369
microsoft
windows server 2025
≤ 10.0.26100.2894

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the RCE vulnerability by requiring timely remediation through application of vendor patches for Windows Remote Desktop Services.

prevent

Provides boundary protection to restrict network access to vulnerable RDS ports, limiting remote exploitation opportunities.

AC-17 Remote Access partial match
preventdetect

Controls and monitors remote access usage for RDS services, reducing unauthorized exposure and enabling detection of anomalous connections.

References