Microsoft releases emergency security patch for CVE-2025-66413, a critical vulnerability affecting Windows systems with CVSS score of 9.8.
Microsoft has released a critical security update to address CVE-2025-66413, a severe vulnerability affecting Windows operating systems. The vulnerability, which carries a CVSS score of 9.8 out of 10, allows remote code execution without authentication, making it a high-priority threat for organizations and individual users.
The vulnerability exists in the Windows Remote Desktop Services component and could allow an unauthenticated attacker to execute arbitrary code on affected systems. Microsoft rates this as a "Critical" severity issue, the highest rating in their security classification system.
Affected Products and Versions
The security update applies to the following Windows versions:
- Windows 10 (all supported versions)
- Windows 11
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
Technical Details
CVE-2025-66413 is a remote code execution vulnerability that occurs when Windows Remote Desktop Services improperly handles specially crafted requests. An attacker could exploit this vulnerability by sending a sequence of malformed packets to a targeted system, potentially gaining complete control over the affected machine.
The vulnerability affects the Remote Desktop Protocol (RDP) service, which is enabled by default on Windows Server installations and can be enabled on Windows client systems. This makes the attack surface particularly broad, as many enterprise environments rely on RDP for remote administration.
Mitigation and Patching
Microsoft strongly recommends immediate installation of the security update through Windows Update. The patches are available via:
- Windows Update (recommended method)
- Microsoft Update Catalog
- WSUS (Windows Server Update Services) for enterprise environments
For organizations unable to immediately apply patches, Microsoft suggests temporarily disabling RDP if it's not required, or implementing network-level authentication as an additional security layer.
Timeline and Response
The vulnerability was reported to Microsoft through their coordinated vulnerability disclosure program on January 15, 2025. Microsoft developed a fix within 14 days and released the security update on January 28, 2025, following their standard monthly patch cycle.
Additional Resources
Users can find more information about this vulnerability and the security update through:
Microsoft continues to monitor for any active exploitation attempts and advises all users to verify successful patch deployment across their environments.
Comments
Please log in or register to join the discussion