When Microsoft released its May 2025 Patch Tuesday updates, the company addressed two critical Remote Desktop Protocol vulnerabilities that cybersecurity experts now consider among the most severe threats to enterprise networks this year. The flaws, designated CVE-2025-29966 and CVE-2025-29967, both carry CVSS scores of 8.8, indicating critical severity levels that demand immediate attention from security teams worldwide.
The vulnerabilities stem from improper handling of bitmap cache files within Microsoft’s Remote Desktop Protocol implementation. Attackers exploit this weakness by sending over-sized bitmap updates through compromised RDP servers or man-in-the-middle gateways, triggering buffer overflows in the client’s bitmap-compression routine that facilitate remote code execution capabilities. With zero-day exploits becoming increasingly common, organizations must remain vigilant against previously unknown vulnerabilities in their systems.
The attack mechanism allows threat actors to gain unauthorized control over Windows systems concurrently hijacking browser activity to monitor sensitive user actions. Persistent bitmap caching, activated by default in the mstsc.exe RDP client, greatly increases exposure risks across enterprise environments.
Attackers can reconstruct complete session screens using specialized tools like BMC-Tools and RdpCacheStitcher, effectively gaining “shoulder surfing” capabilities that reveal all on-screen client activity. During documented incidents, attackers have successfully recovered over 8,000 bitmap cache files, exposing extensive operational details including login credentials, PowerShell scripts, malware alerts, and private browsing sessions.
The cached bitmap fragments persist even after RDP sessions terminate, providing attackers with historical views of user activity that circumvent traditional forensic logging mechanisms. Security professionals should monitor for unusual RDP client crashes, which may signal active exploitation attempts, alongside abnormal RDP session logons from unexpected external IP addresses.
The presence of unexplained updates in mstsc.exe bitmap cache files, particularly when corresponding Windows Event or Terminal Services logs are absent, represents another significant indicator of potential compromise. Organizations must incorporate RDP cache analysis into their incident response strategies to effectively detect and respond to these sophisticated attacks.
Microsoft’s patches represent the primary defense against these vulnerabilities, with no additional official mitigation strategies currently available. Security experts recommend blocking port 3389 at network perimeters as standard practice, whereas organizations should consider disabling persistent bitmap caching in mstsc.exe when not operationally required. Organizations using RDP face heightened vulnerability due to the extensive sensitive connections that enterprise environments typically maintain.
Regular monitoring and prompt patch application remain crucial for high-risk environments.
