Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network.
AnalysisAI
Heap-based buffer overflow vulnerability in Windows Routing and Remote Access Service (RRAS) that allows authenticated network attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. This is a critical vulnerability affecting RRAS implementations across Windows Server and client operating systems; exploitation requires valid credentials but no user interaction, making it suitable for lateral movement and privilege escalation scenarios within compromised networks.
Technical ContextAI
The vulnerability exists in the Windows Routing and Remote Access Service (RRAS), a core Windows networking component responsible for managing dial-up, VPN, and routing connections. The root cause is classified as CWE-122 (Heap-based Buffer Overflow), indicating improper bounds checking when writing to dynamically allocated heap memory within RRAS protocol handlers. This likely occurs during processing of remote access protocol messages (potentially PPP, SSTP, L2TP, or IKEv2 implementations). The heap overflow allows attackers to corrupt adjacent heap structures, potentially achieving code execution through heap spray techniques or return-oriented programming (ROP) chains. Affected systems include Windows Server (2016, 2019, 2022) and client versions (Windows 10, Windows 11) with RRAS enabled, correlating to CPE patterns like 'cpe:2.3:o:microsoft:windows_server:*' and 'cpe:2.3:o:microsoft:windows:*' where RRAS is active.
RemediationAI
Immediate actions: (1) Apply the latest Microsoft security patch for Windows/Windows Server as released by Microsoft (expected in regular or out-of-band security updates); (2) If patches are unavailable, implement network-level mitigations: restrict access to RRAS ports (typically UDP 500, 1194, 1701, 443 for VPN protocols) using firewall rules; restrict RRAS access to trusted source IP ranges; (3) Disable RRAS on systems where it is not required; (4) Enable strong authentication (MFA/2FA) on VPN and remote access endpoints to reduce credential compromise risk; (5) Monitor RRAS logs for suspicious protocol messages and unexpected connection attempts; (6) Implement network segmentation to isolate RRAS infrastructure. Check Microsoft Security Update Guide (https://msrc.microsoft.com) and Windows Server Security Updates for specific KB articles and patch versions. Vendor advisories will provide definitive remediation guidance with specific build numbers.
More in Windows Server 2025
View allWindows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables
Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attacker
Active Directory Domain Services contains an elevation of privilege vulnerability that allows authenticated domain users
Microsoft Scripting Engine contains a type confusion vulnerability allowing unauthorized remote code execution over the
Local privilege escalation in Microsoft Active Directory Federation Services (AD FS) lets an already-authenticated low-p
Windows CLFS Driver contains an input validation flaw enabling local privilege escalation, yet another CLFS kernel vulne
Windows Ancillary Function Driver for WinSock contains a heap-based buffer overflow enabling local privilege escalation
Windows Shell contains a protection mechanism failure (CVE-2026-21510, CVSS 8.8) that allows unauthenticated remote atta
In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptograph
Desktop Window Manager (DWM) in Windows contains a type confusion vulnerability (CVE-2026-21519, CVSS 7.8) that enables
Windows Common Log File System Driver contains another use-after-free for local privilege escalation, the latest in a se
Windows Storage contains an elevation of privilege vulnerability through symlink following that allows authorized attack
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17774