Threat advisory: multiple critical remote code execution vulnerabilities affecting Microsoft windows platforms

advisory ID: ADV-2025-ALL-05
date issued: 14 May 2025
severity: Critical (CVE-2025-29966), High (CVE-2025-30397)
CVSs scores:

• CVE-2025-29966: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
• CVE-2025-30397: 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
  Patch availability: Yes – Released as part of Microsoft’s May 2025 Patch Tuesday

CVE-2025-29966 – remote desktop client remote code execution vulnerability

CVE-2025-29966 affects the Remote Desktop Protocol (RDP), allowing an attacker with access to a targeted system to execute arbitrary code. RDP is a common vector in both targeted and widespread cyberattacks, making this a high-risk flaw in enterprise environments.

Affected platforms

• Windows 10 (all supported editions)
• Windows 11 (all supported editions)
• Windows Server 2016, 2019, 2022
• Windows Server 2008 R2, 2012, 2012 R2 (when RDP client is used)

Technical details

• Attack vector: Network
• Attack complexity: Low
• Privileges required: None
• User interaction: Required (user must connect to a malicious RDP server)
• Scope: Unchanged
• Impact: Remote code execution

The flaw resides in improper memory management within mstsc.exe and the RDP client-side protocol stack. When a specially crafted response is received from a malicious RDP server, it may trigger a heap overflow, enabling arbitrary code execution.

Mitigation and recommendations

• Apply Patches Immediately: Install Microsoft’s May 2025 security updates.
• Restrict RDP Client Use: Limit use to verified and trusted RDP servers only.
• Enable Network Level Authentication (NLA): Adds an authentication step before full RDP session establishment.
• Educate Users: Ensure users understand the risks of connecting to unfamiliar RDP servers.
• Monitor Network Traffic: Use IDS/IPS solutions to flag outbound RDP sessions to unknown hosts.
• Review Logs and EDR Alerts: Focus on anomalies in mstsc.exe behaviour or suspicious RDP usage.

CVE-2025-30397 – Microsoft scripting engine remote code execution vulnerability

CVE-2025-30397 affects Internet Explorer Mode in Microsoft Edge and requires user interaction (e.g., clicking a crafted link), but successful exploitation enables unauthenticated remote attackers to achieve RCE. Despite IE being deprecated, many environments still rely on IE Mode, leaving them vulnerable.

Affected platforms

• Windows 10 (multiple editions)
• Windows 11
• Windows Server 2008 R2 SP1 (Server Core installation)
• Windows Server 2012, 2012 R2
• Windows Server 2016, 2019, 2022

Technical details

• Attack vector: Network
• Attack complexity: High (IE Mode must be enabled)
• Privileges required: None
• User interaction: Required (clicking a crafted URL)
• Impact: Remote code execution

Even though IE11 is deprecated, MSHTML, EdgeHTML, and related scripting components remain active through IE Mode in Edge and legacy app controls. The vulnerability stems from improper handling of script execution, allowing attackers to craft web content that leads to remote code execution when viewed.

Why IE cumulative updates are necessary
Security Only updates do not address vulnerabilities in scripting components used by IE Mode or WebBrowser controls. Organisations running older server versions must install Internet Explorer Cumulative Updates to fully mitigate the issue on:

• Windows Server 2008 and 2008 R2
• Windows Server 2012 and 2012 R2

Mitigation and recommendations

• Install All Relevant Updates: Ensure that cumulative and IE-specific updates are deployed.
• Audit IE Mode Usage: Disable IE Mode in Edge where not strictly needed.
• User Awareness: Reinforce safe browsing practices, particularly avoiding unsolicited links.
• Monitor Logs: Focus on network activity involving MSHTML/EdgeHTML and abnormal URL access patterns.

Summary and integrity360 recommendation

Both CVE-2025-29966 and CVE-2025-30397 represent serious threats to organisations relying on Windows infrastructure, particularly where legacy or embedded components are in use. The Remote Desktop Client vulnerability (CVE-2025-29966) carries a critical rating due to its low complexity and high impact, while the scripting engine vulnerability (CVE-2025-30397) remains a high threat, especially in environments using IE mode or older server editions.

Integrity360 strongly advises immediate patching across all affected systems, reduction of RDP exposure, auditing of Internet Explorer dependencies, and ongoing user education to minimise attack surface and risk.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.