Patrick Pilotte
A serious vulnerability has been found in Microsoft Remote Desktop Client. The vulnerability, which is designated as CVE-2025-48817, affects multiple versions of Windows and poses significant security risks for organizations that rely on Remote Desktop Protocol (RDP) connections.
Below we summarize the details that are currently available, including information on patches that were released by Microsoft on July 8.
About the vulnerability
CVE-2025-48817 is a relative path traversal vulnerability, which combines with unauthorized access control mechanisms within Microsoft’s Remote Desktop Client infrastructure.
When victims connect to a compromised server using vulnerable Remote Desktop Client software, attackers could escape folder boundaries and carry out arbitrary remote code execution (RCE).
This vulnerability does not require privileges for exploitation. However, it is still necessary for privileged users to interact with an attacker-controlled RDP endpoint.
According to Microsoft, there are no reports of this vulnerability being exploited in the wild, and there has been no discourse about it on security software vendor blogs, forums, social media, etc. This suggests — but certainly does not guarantee — that threat actors were unaware of the vulnerability prior to the public disclosure by Microsoft on July 8. If so, this gives affected organizations a small window to eliminate the flaw before threat actors take notice and start launching attacks.
CVSS & severity rating
CVE-2025-48817 has been assigned a CVSS score of 8.8, which classifies its severity as “high” (note that the 8.8 score is just 0.2 shy of the most serious “critical” classification). High severity vulnerabilities are deemed to pose a critical risk to systems and data, and require immediate attention and mitigation.
Impacted Products
The following Microsoft products are impacted by this vulnerability:
- Windows Server 2008/2008 R2/2012/2012 R2
- Windows Server 2016/2019/2022/2025
- Windows 10 (all versions from 1607 to 22H2)
- Windows 11 (22H2, 23H2, 24H2)
- Remote Desktop Client for Windows Desktop
- Windows App Client for Windows Desktop
Attack path
An attack that exploits CVE-2025-48817 unfolds per the following stages:
Stage 1: Establish a malicious RDP Server. This can be accomplished in multiple ways, such as using open-source RDP implementations, commercial tools, or hijacking legitimate infrastructure.
Stage 2: User interaction. This involves luring an administrative user (or privileged endpoint) into initiating an RDP connection to the malicious server. This could be done through phishing, social engineering, or various lateral movement tactics.
Stage 3: Exploit the vulnerability. As the victim connects, the server presents resources or mapped drives containing specially crafted paths. The vulnerable client does not scrutinize and ultimately reject these inputs, processes file operations outside the designated scope.
Stage 4: Remote code execution. The attacker’s payload is executed on the local system. This could further lead to installing ransomware or malware, or establishing backdoor access.
Patches
On July 8, Microsoft released comprehensive security patches addressing CVE-2025-48817 across its entire Windows ecosystem. All updates are available in the Microsoft Security Response Center.
Affected organizations are urged to prioritize the application of two new security updates, KB5062553 and KB5062552, along with patches that correspond to their specific Windows versions.
Insight & advice from our Operations Security Specialist Patrick Pilotte:
The recently disclosed vulnerability CVE-2025-48817 in Microsoft’s Remote Desktop Client is a stark reminder of the inherent security risks tied to RDP usage in Windows environments. This high-severity flaw impacts a wide range of systems — from Windows Server 2008 to Windows 11 — and allows unauthenticated RCE when a user connects to a malicious RDP server.
Although Microsoft released patches on July 8, and there’s no known exploitation in the wild (yet), the attack path is disturbingly simple: trick a privileged user into initiating a remote desktop connection to a rogue server. This could happen through phishing, social engineering, or lateral movement techniques. Once the connection is established, the malicious server can exploit relative path traversal vulnerabilities to escape folder boundaries and execute arbitrary code on the client machine — no elevation of privilege required.
Mitigation Strategies & how Devolutions helps
At Devolutions, we believe in proactive, layered security that doesn’t burden teams with complexity. Here are some of the ways that we help organizations reduce their exposure to vulnerabilities like CVE-2025-48817:
Enforce least privilege with Devolutions PAM: Implement just-in-time access, limit session duration, and define who gets RDP access — and when. All privileged sessions are logged and can be audited.
Centralize RDP auditing and get full visibility into all remote sessions with Remote Desktop Manager: Track each connection attempt, and block/isolate/review access based on role/source/destination.
Establish zero trust and network segmentation: Our solutions support zero trust architecture by validating each session before it starts. Used alongside network segmentation, the solutions also prevent unauthorized lateral movement, and block connections to untrusted RDP endpoints.
Avoid direct use of vulnerable clients: Eliminate the need for users to connect directly using vulnerable Microsoft RDP clients by routing secure remote sessions through Devolutions Gateway, jump hosts, or Remote Desktop Manager proxies. This closes a critical threat surface gap.
Train end users: Phishing and social engineering attacks are becoming much more realistic with the emergence of AI, and end users need to be part of the cybersecurity solution — or else they can unwittingly be part of the problem. Leaders are warned not to assume that their workforce is trained and aware. Human error is a factor in 68% of data breaches, and organizations that conduct phishing simulations see a 70% reduction in end user susceptibility to phishing attacks over a six-month period.
Final Thoughts
CVE-2025-48817 isn’t the first RDP-related vulnerability — and, unfortunately, it certainly won’t be the last. But it does offer a valuable opportunity to reassess remote access controls. With Devolutions solutions in place, organizations can reduce their attack surface, monitor privileged activity, and enforce strong access governance — before threat actors take advantage of a newly-discovered flaw.
