IRONSMITHINTEL
CRITICALCVSS8.8
|CVE-2025-29967|Auth: none — unauthorized network attacker|Reboot: required|Est. 30–60 minutes including reboot|Manual only

Windows Remote Desktop Gateway Service Heap Overflow — Network RCE (CVE-2025-29967)

A heap-based buffer overflow in the Remote Desktop Gateway service (the RD Gateway role exposed at the network edge for tunnelling RDP over HTTPS) allows an unauthorized attacker to execute code over the network. CVSS 8.8. Patched in the May 13 2025 cumulative.

Published May 13, 2025 · Updated May 15, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An unauthenticated attacker who can reach the RD Gateway TLS endpoint (typically internet-facing, by design) can execute code on the Gateway server. Because RD Gateway is deliberately placed in front of the internal RDS environment, successful exploitation gives the attacker a foothold inside the Remote Desktop infrastructure — a high-value position for pivoting to user sessions and connected back-end servers.

How the attack works

CVE-2025-29967 is a heap-based buffer overflow in the Remote Desktop Gateway Service — the Windows Server role that proxies RDP sessions over HTTPS so remote users can connect to internal RDS hosts without a VPN. The service parses HTTP/RPC-over-HTTPS framing data from clients, and a crafted request can overflow a heap buffer leading to code execution in the service context.

Am I affected?Quick check

Probably yes if any of these apply:

Remote Desktop Gateway server administrators
Network Security Team
Anyone responsible for the RD Gateway TLS endpoint
Running All supported Windows Server versions with the RD Gateway role installed, prior to the May 13 2025 cumulative update

Affected OS versions

Windows Server 2025Windows Server 2022Windows Server 2019Windows Server 2016Windows Server 2012 R2Windows Server 2008 R2
Fixed inPer OS: KB5058411 (Server 2025) / KB5058385 (Server 2022) / KB5058392 (Server 2019) / older Server updates of May 13 2025
Real-world incidentsWhat we've seen

Microsoft did not flag CVE-2025-29967 as in-the-wild at release, but the prerequisites for mass-exploitation are present: internet-facing service, no authentication required, network attack vector, CVSS 8.8. RD Gateway hosts have been targeted in prior years (BlueGate / CVE-2020-0609 in 2020) — patch this on the same day as any other internet-edge fix.

How to patch

Manual remediation steps

30–60 minutes including reboot

Identify RD Gateway Servers

# On any Windows Server, check whether the RD Gateway role is installed
Get-WindowsFeature -Name RDS-Gateway | Where-Object Installed

# And whether the service is running
Get-Service -Name TSGateway

Apply the Fix

Install the May 2025 Patch Tuesday cumulative for the host's Windows Server OS. The fix ships in the OS rollup, not as a standalone RD Gateway component.

USoClient.exe ScanInstallWait
# Or manual install of KB5058385 / KB5058392 / KB5058411
shutdown.exe /r /t 600 /c "May 2025 security update — reboot in 10 minutes"

Compensating Controls (until patched)

    1
    If the RD Gateway is behind a TLS-terminating reverse proxy or WAF, consider scoping access to the RDG TLS endpoint to known source IPs (RDG should be reachable from the internet by design — this is an emergency narrowing).
    1
    Increase logging on the RD Gateway: enable Microsoft-Windows-TerminalServices-Gateway operational and analytic event logs and ship them to the SIEM for anomaly detection.

Verify

Get-HotFix | Where-Object { $_.HotFixID -in @("KB5058411","KB5058385","KB5058392") } |
    Select-Object HotFixID, InstalledOn

Get-Service -Name TSGateway
# Service should restart cleanly after reboot.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2025-29967MSRC AdvisoryNVD