IRONSMITHINTEL
CRITICALCVSS8.8
|CVE-2025-29966|Auth: none on the attacker side; victim must connect|Reboot: required|Est. 30–60 minutes including reboot|Manual only

Windows Remote Desktop Client Heap Overflow — Network RCE (CVE-2025-29966)

A heap-based buffer overflow in the Windows Remote Desktop client allows an attacker who controls an RDP server to execute code on any Windows host that connects out to it. CVSS 8.8 — requires the victim to initiate an RDP session to the attacker. Patched in the May 13 2025 cumulative.

Published May 13, 2025 · Updated May 15, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker who controls an RDP server (or who can man-in-the-middle an RDP connection) can execute code on the connecting host. Realistic attack paths include malicious .rdp shortcuts dropped on a file share, phishing emails with .rdp attachments, and lateral-movement scenarios where a previously-compromised jump box hosts a tampered RDP listener.

How the attack works

CVE-2025-29966 is a heap-based buffer overflow in how the Windows Remote Desktop client parses server-sent data during an RDP session. A malicious RDP server can send crafted protocol responses that overflow a client-side heap buffer, leading to code execution in the client process on the host that initiated the outbound RDP connection.

Am I affected?Quick check

Probably yes if any of these apply:

All Windows Server hosts that initiate outbound RDP
Admin workstations
Jump boxes
Automation hosts that script RDP
Running All supported Windows versions prior to the May 13 2025 cumulative update (per NVD: Windows Server 2008 R2 through Server 2025 inclusive, plus client SKUs)

Affected OS versions

Windows Server 2025Windows Server 2022Windows Server 2019Windows Server 2016Windows Server 2012 R2Windows Server 2008 R2Windows 11Windows 10
Fixed inPer OS: KB5058411 (Server 2025) / KB5058385 (Server 2022) / KB5058392 (Server 2019) / Windows client updates of May 13 2025
Real-world incidentsWhat we've seen

Microsoft did not flag CVE-2025-29966 as exploited in the wild at the May 13 2025 release. However, NVD assigns CVSS 8.8 and Microsoft rated this as critical-severity precisely because the network-attack-vector + no-attacker-auth + low-complexity combination matches historical CVEs that were weaponised within weeks of disclosure (the 2024 CVE-2024-21320 RDP client RCE is the precedent).

How to patch

Manual remediation steps

30–60 minutes including reboot

Identify Affected Hosts

All Windows hosts that can initiate outbound RDP — i.e. anywhere mstsc.exe might run — are affected until patched.

Get-ComputerInfo | Select-Object WindowsVersion, OsBuildNumber

Apply the Fix

Install the May 2025 Patch Tuesday cumulative update.

USoClient.exe ScanInstallWait
# Or manual install (per OS):
wusa.exe <kb-msu-file> /quiet /norestart
shutdown.exe /r /t 600 /c "May 2025 security update — reboot in 10 minutes"

Compensating Controls (until patched)

    1
    Block .rdp file attachments at the mail gateway.
    1
    Use Group Policy to disable opening .rdp files from Internet-zone locations: 
    User Configuration > Administrative Templates > Windows Components >
Remote Desktop Services > Remote Desktop Connection Client >
"Do not allow passwords to be saved" (and similar hardening).
    1
    For high-value admin workstations, restrict outbound RDP to a managed allowlist of known RDS hosts via Windows Firewall outbound rules.

Verify

Get-ComputerInfo | Select-Object OsBuildNumber
# Must be at or above the May 13 2025 build for the SKU
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2025-29966MSRC AdvisoryNVD