CVE-2025-24035 - Sensitive Data Leak and Remote Code Execution in Windows Remote Desktop Services

*Published: June 2024 | By: SecureBytes Team*

Overview

In June 2024, Microsoft quietly patched a critical new vulnerability in Windows Remote Desktop Services, tracked as CVE-2025-24035. This flaw allows attackers to exploit poorly locked memory to steal sensitive data—including session credentials—and even execute arbitrary code over a network. This post breaks down the risk, shows a code example, explains potential attacks, and offers tips to protect your systems.

What Is CVE-2025-24035?

At its core, CVE-2025-24035 is a vulnerability in the way certain versions of Windows Remote Desktop Services (RDS), formerly known as Terminal Services, handle sensitive data. When a user signs into an RDS session, Windows stores their session secrets (such as Kerberos tickets, NTLM hashes, and access tokens) in system memory.

The problem: Windows does not always properly lock down memory pages holding this data. It should use special Windows APIs like VirtualLock() or at least wipe memory before freeing it. Due to faulty implementation, sensitive information is being stored in pageable memory that could be swapped out to disk or accessed by unauthorized processes.

Impact:
- An attacker with network access can exploit this mishandling to extract login credentials or session cookies from memory.
- Even worse, crafty attackers can trigger heap corruption and escalate this to run their own code _remotely_ on the affected server.

Windows Server 2019, 2022 (all editions, pre-June 2024)

- Windows 10/11 with RDS roles installed

Technical Details

The vulnerable code is found in how the RDP session process (svchost.exe hosting TermService) handles session state. A code block similar to this (simplified for clarity):

// Flawed handling of sensitive data in session setup
BYTE sessionSecret[256];
DWORD secretLen = GetSessionSecret(session, sessionSecret);

// Memory is NOT locked nor wiped
// Attacker can trigger context switch here and dump from RAM
useSessionSecret(sessionSecret, secretLen);

// Forgetting to erase memory after use
free(sessionSecret);

Wipe it with SecureZeroMemory() after it’s used

Any user (even over the network) who can open a session or trigger RDP processing routines can access this memory, scraping for credentials or planting malicious data.

Stage 1 – Credential Dumping

A remote attacker connects to the server using known session replay methods. After authentication but before full login, he sends crafted RDP packets, causing the system to leak uninitialized sensitive memory back in the RDP protocol stream (in responses meant for clipboard sync or channel setup).

Proof of Concept (Python Snippet)

*(This does not grant access, but demonstrates info leak pattern)*

import socket

# Connect to RDP port (TCP 3389)
s = socket.socket()
s.connect(("target-rds-server", 3389))

# Send minimal RDP handshake
s.send(b"\x03\x00\x00\x13\xe\xe\x00\x00\x00\x00\x01\x00\x08\x00\x03\x00\x00\x00\x00")

# Listen for response (could contain leaked data)
response = s.recv(4096)
print("Leaked data:", response.hex())

With iterative querying, attackers can extract blocks of memory, scanning for tokens, password hashes, or secrets.

Stage 2 – Remote Code Execution

By reversing the heap management logic, an attacker can fuzz RDP "virtual channels" with malformed size fields, causing use-after-free or buffer overflows. If successful, this corrupts the function pointer used by the RDS service, redirecting execution to malicious code supplied in the RDP stream.

References

- Microsoft Official Advisory CVE-2025-24035
- RDP Protocol Reference
- VirtualLock API Documentation
- SecureZeroMemory Function

How To Stay Safe

1. Patch immediately – Apply Microsoft’s June 2024 updates across all RDS hosts, gateways, and session brokers.

Final Thoughts

CVE-2025-24035 highlights how memory handling bugs still haunt even mature services like Windows RDS. Attackers can steal credentials and possibly compromise servers with little more than network access. Security teams should stay vigilant, patch quickly, and adopt memory security best practices. For defenders and pen-testers alike, this case is an important reminder: *memory safety is everyone's concern*.


*Exclusive content by SecureBytes Team – for more technical breakdowns, subscribe to our mailing list!*

Timeline

Published on: 03/11/2025 17:16:25 UTC
Last modified on: 04/29/2025 22:06:16 UTC