High

Remote Code Execution in Microsoft Remote Desktop Client via Relative Path Traversal

IdentifiersCVE-2025-48817CWE-23· Relative Path Traversal

CVE-2025-48817 is a remote code execution vulnerability in Microsoft Remote Desktop Client (including mstsc.exe) caused by improper validation and normalization of relative file paths during RDP session file transfer negotiation. The flaw is described as a relative path traversal issue that can allow attacker-controlled path elements such as directory traversal sequences to escape intended directory restrictions. According to the provided content, exploitation occurs when a victim uses a vulnerable Remote Desktop Client to connect to an attacker-controlled Remote Desktop Server; the content also notes a possible man-in-the-middle scenario on a legitimate RDP connection. Successful exploitation can lead to arbitrary file write conditions and subsequent code execution on the client, including via DLL hijacking. Microsoft associated the issue with remote code execution and also referenced improper access control in addition to relative path traversal.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthorized attacker to achieve remote code execution on the client machine over the network. Based on the provided content, the vulnerability can be used to write files outside intended directories and potentially plant or replace files in locations that enable DLL hijacking or other execution paths. The stated CVSS 3.1 vector indicates high confidentiality, integrity, and availability impact, meaning compromise of the affected client could result in full code execution with attendant data theft, system modification, and service disruption.

Mitigation

If you can’t patch tonight, do this now.

Until patches are fully deployed, reduce exposure by preventing vulnerable Remote Desktop Client systems from connecting to untrusted or attacker-controlled RDP servers. Restrict outbound RDP usage to trusted destinations, use network controls to limit man-in-the-middle opportunities, and avoid administrative users initiating RDP sessions to untrusted hosts. Where operationally feasible, disable or tightly control RDP-related file transfer features and monitor for suspicious outbound RDP connections and anomalous file writes on client systems. These are risk-reduction measures only; the authoritative remediation is patching.

Remediation

Patch, then assume compromise.

Apply Microsoft's official security updates for CVE-2025-48817. The provided content states Microsoft addressed the issue in July 2025 Patch Tuesday updates and identifies KB5062554 for Windows 10, KB5062553 for Windows 11, and KB5062552 for Windows Server 2025. The content further states the fix introduces path normalization and validation routines intended to prevent traversal outside allowed directories during RDP file transfer negotiation. Systems should be updated to builds at or beyond the patched versions referenced in the content.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationRemote Desktopapplication

Microsoft CorporationRemote Desktop Clientapplication

Microsoft CorporationWindows 10 1507operating_system

Microsoft CorporationWindows 10 1607operating_system

Microsoft CorporationWindows 10 1809operating_system

Microsoft CorporationWindows 10 21h2operating_system

Microsoft CorporationWindows 10 22h2operating_system

Microsoft CorporationWindows 11 22h2operating_system

Microsoft CorporationWindows 11 23h2operating_system

Microsoft CorporationWindows 11 24h2operating_system

Microsoft CorporationWindows Appapplication

Microsoft CorporationWindows App Client For Windows Desktopapplication

Microsoft CorporationWindows Server 2008operating_system

Microsoft CorporationWindows Server 2008 R2operating_system

Microsoft CorporationWindows Server 2008 Sp2operating_system

Microsoft CorporationWindows Server 2012operating_system

Microsoft CorporationWindows Server 2012 R2operating_system

Microsoft CorporationWindows Server 2016operating_system

Microsoft CorporationWindows Server 2019operating_system

Microsoft CorporationWindows Server 2022operating_system

Microsoft CorporationWindows Server 2022 23h2operating_system

Microsoft CorporationWindows Server 2025operating_system

Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

zeropath blogNews

Jul 8, 2025

Navigating Danger: CVE-2025-48817 Path Traversal in Windows Remote Desktop Client - ZeroPath Blog | ZeroPath

A path traversal vulnerability in Microsoft's Remote Desktop Client (mstsc.exe) that can enable arbitrary file writes, DLL hijacking, and ultimately remote code execution.

msrc microsoftNews

Jul 8, 2025

CVE-2025-48817 - Security Update Guide - Microsoft - Remote Desktop Client Remote Code Execution Vulnerability

A remote code execution vulnerability in Microsoft Remote Desktop Client caused by relative path traversal and improper access control. Exploitation requires a user to connect with the vulnerable RDP client to an attacker-controlled Remote Desktop Server.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-48817

NVD

nvd.nist.gov/vuln/detail/CVE-2025-48817

MITRE CWE · CWE-23

Relative Path Traversal

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48817