How ZeroPath Works
Back to Blog

Navigating Danger: CVE-2025-48817 Path Traversal in Windows Remote Desktop Client

An in-depth analysis of CVE-2025-48817, a critical path traversal vulnerability in Microsoft's Remote Desktop Client, enabling remote code execution.
CVE Analysis

7 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-08

Navigating Danger: CVE-2025-48817 Path Traversal in Windows Remote Desktop Client

Navigating Danger: CVE-2025-48817 Path Traversal in Windows Remote Desktop Client

Introduction

Remote Desktop Protocol (RDP) vulnerabilities have historically been a favored entry point for threat actors, and CVE-2025-48817 continues this troubling trend. This critical flaw in Microsoft's Remote Desktop Client allows attackers to execute arbitrary code remotely, potentially compromising entire enterprise networks. With a CVSS score of 8.8, immediate attention and remediation are paramount.

Technical Information

The vulnerability, CVE-2025-48817, affects the Remote Desktop Client (mstsc.exe) in Microsoft Windows. Specifically, it involves improper validation of relative file paths during the file transfer negotiation phase of RDP sessions. Attackers exploit this vulnerability by crafting malicious RDP servers or intercepting legitimate connections via man-in-the-middle attacks. By injecting directory traversal sequences (e.g., ../), attackers can escape directory restrictions, enabling arbitrary file writes and DLL hijacking, ultimately leading to remote code execution.

Affected versions include:

  • Windows 10 versions prior to 10.0.19045.4598
  • Windows 11 versions prior to 10.0.22631.3880
  • Windows Server 2025

The root cause is the client's failure to normalize and validate file paths before processing, allowing attackers to specify paths that bypass intended security boundaries.

Patch Information

Microsoft addressed this vulnerability in their July 2025 Patch Tuesday updates. Users should promptly apply the following patches:

  • Windows 10: KB5062554
  • Windows 11: KB5062553
  • Windows Server 2025: KB5062552

These updates introduce robust path normalization and validation routines, effectively mitigating the risk of exploitation.

For detailed patch information, refer to Microsoft's official documentation .

Vendor Security History

Microsoft's security response has historically been robust, particularly with monthly Patch Tuesday cycles. However, RDP vulnerabilities like BlueKeep (CVE-2019-0708) have exposed persistent challenges in securing legacy protocols. Microsoft's rapid response to CVE-2025-48817 underscores their commitment to security, yet highlights the ongoing need for vigilance in managing RDP-related risks.

References

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Detect & fix
what others miss

Get startedBook a demo