A heap‑based buffer overflow in the Remote Desktop Client allows an attacker without prior authorization to execute arbitrary code when the client processes data from a remote host. This vulnerability can be abused to take full control of the affected system, bypassing normal execution controls and potentially allowing the attacker to install malware, exfiltrate data, or pivot to other hosts. The flaw corresponds to CWE‑416 (use‑after‑free) and CWE‑787 (out‑of‑bounds write), both of which can lead to arbitrary code execution.

Microsoft Windows Server 2016, Microsoft Windows Server 2016 (Server Core installation), Microsoft Windows Server 2019, Microsoft Windows Server 2019 (Server Core installation), Microsoft Windows Server 2022, Microsoft Windows Server 2025, and Microsoft Windows Server 2025 (Server Core installation) are affected.

The CVSS score of 7.5 indicates high severity, and the EPSS score of 0.00074 indicates a low but nonzero exploit probability of about 0.074%; the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is a network‑based Remote Desktop session; the description suggests that no credentials are required to trigger the overflow, implying that any host reachable over RDP can potentially be exploited. Once exploited, the attacker achieves remote code execution with the privileges of the RDP session or, if the vulnerability allows, escalates privileges further on the host.