Delays on Windows updates are particularly problematic given the issues that the March updates are set to address:
Critical Vulnerabilities Discovered in Windows Remote Desktop Services
Microsoft’s March 2025 security update has addressed two critical Remote Code Execution (RCE) vulnerabilities in Windows Remote Desktop Services (RDS), identified as CVE-2025-24035 and CVE-2025-24045. Both vulnerabilities have been assigned a CVSSv3 score of 8.1, indicating a high severity level.
CVE-2025-24035: This vulnerability arises from sensitive data being stored in improperly locked memory within RDS. Exploitation could allow an unauthorized attacker to execute arbitrary code over a network, potentially leading to a complete system compromise.
CVE-2025-24045: This flaw involves a race condition within RDS. An attacker who successfully exploits this vulnerability could execute code remotely, compromising system confidentiality, integrity, and availability.
These vulnerabilities impact multiple versions of Windows servers and desktops, making it imperative for organizations to assess their systems and apply necessary patches promptly.
To protect against potential exploitation, Microsoft says that it is crucial to implement best practices for securing RDS, such as enabling Network Level Authentication (NLA), restricting RDP access through firewalls, and utilizing strong authentication and of course to apply the security patches provided by Microsoft in the March 2025 update.
The last recommendation is an issue as there have been enormous problems with the latest Microsoft update.
