RDLS Heap-Based Buffer Overflow — Pre-Auth Remote Code Execution on RD Licensing Servers (CVE-2024-38077)
A heap-based buffer overflow in the Windows Remote Desktop Licensing Service allows an unauthenticated network attacker to execute arbitrary code by sending a single crafted licensing protocol message. Apply the July 2024 cumulative update on every server running the RD Licensing role.
An unauthenticated network attacker who can reach the RD Licensing service can execute arbitrary code in the context of the service account. From there, lateral movement to the broader RDS deployment is trivial: the same server typically holds licensing data for every Remote Desktop Session Host in the environment, and the host is normally trusted by other domain members. Reachable RD Licensing servers exposed to untrusted networks are at immediate risk.
The Windows Remote Desktop Licensing Service processes incoming licensing protocol messages without correctly bounding a heap allocation, allowing a malformed message to overflow the heap. The service runs as NETWORK SERVICE and listens on the RPC endpoint mapper plus a dynamic port, which is reachable on any server with the RD Licensing role installed. Affected: Windows Server 2008 SP2 through Windows Server 2022 23H2, including all builds prior to the July 2024 Patch Tuesday.
Probably yes if any of these apply:
Affected OS versions
Researchers at Cyber KunLun published a technical write-up and PoC for CVE-2024-38077 under the name "MadLicense" in late July 2024, shortly after Microsoft's patch. The PoC reliably crashes the service and is widely cited as a stepping stone toward full RCE; security teams observed scanning for exposed RD Licensing endpoints within days. Many organisations expose the RD Licensing role to wider networks than they realise because it is co-installed with RD Gateway or RD Web Access on the same host.
Manual remediation steps
⏱ 45–90 minutes including rebootCheck if the RD Licensing role is installed
Get-WindowsFeature -Name RDS-Licensing
# Installed = role is present; this server is in scope
Workaround until patched — uninstall RDL if not in active use
# Many environments still have the role installed from a long-retired RDS farm.
# If no Session Host references this server as its license server, uninstall it:
Uninstall-WindowsFeature -Name RDS-Licensing -Remove -Restart
Restrict network exposure
# Block inbound TCP traffic to the RD Licensing service from anything except
# the trusted RDS Session Host subnet (substitute your subnet below):
New-NetFirewallRule -DisplayName "Block RDL except trusted RDS subnet" `
-Direction Inbound -Action Block -Protocol TCP `
-Service "TermServLicensing" -RemoteAddress (Get-NetIPConfiguration).IPv4Address.IPAddress
Apply the July 2024 cumulative update
CVE-2024-38077 to find the current superseding cumulative for your OS, OR search by month: 2024-07 Cumulative Update for Windows Server <version>Verify
# Confirm the LTS build number is at or above the July 2024 patch level for your OS:
[System.Environment]::OSVersion.Version
(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").UBR
# Server 2022 fixed in build 10.0.20348.2582 or later
# Server 2019 fixed in build 10.0.17763.6054 or later
# Server 2016 fixed in build 10.0.14393.7159 or later
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References