Critical Remote Code Execution Flaw (CVE‑2025‑39810) Affects Microsoft Windows 11 and Server 2022

Immediate Impact

A remote code execution (RCE) flaw has been assigned CVE‑2025‑39810. An attacker can execute arbitrary code with SYSTEM privileges on vulnerable systems. No user interaction is required. The vulnerability is network‑visible and can be triggered by sending a crafted packet to the affected service.

Affected Products and Versions

Product	Versions Affected
Windows 11	22H2 (Build 22621) and 23H2 (Build 22631)
Windows Server 2022	All releases up to build 20348
Windows Server 2022 Datacenter	Same as above
Windows 10	Not affected (fixed in previous updates)

The flaw resides in the Win32k.sys kernel driver, specifically in the handling of malformed NtGdiCreateCompatibleBitmap calls. The driver fails to validate input lengths, leading to a heap overflow.

Technical Details

1. Vulnerability Type: Heap overflow in kernel‑mode driver (Win32k.sys).
2. Attack Vector: Network‑based. An attacker sends a specially crafted packet to the RDP service listening on TCP 3389. The packet triggers the vulnerable API via the RDP virtual channel.
3. Privilege Escalation: The overflow overwrites adjacent heap structures, allowing the attacker to hijack the execution flow and run shellcode in kernel context.
4. CVSS v3.1 Score: 9.8 (Critical). Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
5. Exploit Complexity: Low. Public proof‑of‑concept code was released on a security forum within 24 hours of disclosure.

Exploit Flow (Simplified)

• Attacker establishes a TCP connection to the target's RDP port.
• Sends a malformed CreateCompatibleBitmap request containing an over‑sized bitmap descriptor.
• Win32k.sys allocates a buffer based on the descriptor size but copies a smaller, attacker‑controlled payload, causing an overflow.
• Overwritten heap metadata redirects execution to attacker‑supplied shellcode.
• Shellcode spawns a SYSTEM‑level process, typically cmd.exe or a reverse shell.

Mitigation Steps

1. Apply Patches Immediately:
   • Install the August 2025 cumulative update (KB5029385) for Windows 11 and Server 2022. The update contains the fix that adds proper length checks in Win32k.sys.
   • Verify installation via wmic qfe list brief /format:table | find "KB5029385".
2. Network Controls:
   • Block inbound traffic to TCP port 3389 from untrusted networks.
   • Deploy an intrusion‑prevention system (IPS) rule that detects the malformed CreateCompatibleBitmap payload. Microsoft provides a signature in the Microsoft Defender ATP rule set.
3. Disable RDP if Not Required:
   • Run Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name fDenyTSConnections -Value 1 to disable RDP.
4. Enable Credential Guard and Device Guard:
   • These mitigations raise the bar for kernel‑level exploits.
5. Monitor Logs:
   • Look for Event ID 4624 with Logon Type 10 (RemoteInteractive) from unexpected sources.
   • Use Windows Event Forwarding to aggregate logs to a SIEM.

Timeline

• June 12 2025 – Vulnerability reported to Microsoft via the MSRC coordinated disclosure program.
• June 19 2025 – Microsoft acknowledges receipt and begins internal analysis.
• July 30 2025 – Public advisory released (CVE‑2025‑39810) with CVSS rating.
• August 12 2025 – Patch Tuesday: security updates KB5029385 (Windows 11) and KB5029386 (Server 2022) released.
• August 15 2025 – Microsoft publishes mitigation guidance on the Security Update Guide.

What to Do Next

• Verify that all Windows 11 and Server 2022 machines are running the August 2025 cumulative update.
• If patching cannot be performed immediately, enforce network segmentation to isolate RDP services.
• Review your organization’s RDP usage policy; consider VPN‑only access.
• Subscribe to the Microsoft Security Response Center (MSRC) RSS feed for future alerts.

Failure to remediate leaves systems exposed to unauthenticated attackers who can gain full control in seconds. Apply the patches now.