EUVD-2025-17774
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network.
Analysis
Heap-based buffer overflow vulnerability in Windows Routing and Remote Access Service (RRAS) that allows authenticated network attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. This is a critical vulnerability affecting RRAS implementations across Windows Server and client operating systems; exploitation requires valid credentials but no user interaction, making it suitable for lateral movement and privilege escalation scenarios within compromised networks.
Technical Context
The vulnerability exists in the Windows Routing and Remote Access Service (RRAS), a core Windows networking component responsible for managing dial-up, VPN, and routing connections. The root cause is classified as CWE-122 (Heap-based Buffer Overflow), indicating improper bounds checking when writing to dynamically allocated heap memory within RRAS protocol handlers. This likely occurs during processing of remote access protocol messages (potentially PPP, SSTP, L2TP, or IKEv2 implementations). The heap overflow allows attackers to corrupt adjacent heap structures, potentially achieving code execution through heap spray techniques or return-oriented programming (ROP) chains. Affected systems include Windows Server (2016, 2019, 2022) and client versions (Windows 10, Windows 11) with RRAS enabled, correlating to CPE patterns like 'cpe:2.3:o:microsoft:windows_server:*' and 'cpe:2.3:o:microsoft:windows:*' where RRAS is active.
Affected Products
Windows Routing and Remote Access Service (RRAS) on the following Microsoft products: (1) Windows Server 2016 (all editions with RRAS role); (2) Windows Server 2019 (all editions with RRAS role); (3) Windows Server 2022 (all editions with RRAS role); (4) Windows 10 (all versions with RRAS components enabled); (5) Windows 11 (all versions with RRAS components enabled); (6) Potentially Windows 7 and Windows 8.1 if still in unsupported status with RRAS enabled. Specific configurations affected include: VPN servers (SSTP, L2TP, IKEv2, PPTP), dial-up RAS servers, and routing-enabled Windows systems processing remote access protocol traffic. No specific version bounds are provided in the CVE description; assume all RRAS implementations are potentially affected pending vendor advisory clarification. Consult Microsoft Security Update Guide and official advisories for definitive patch availability and version-specific impact.
Remediation
Immediate actions: (1) Apply the latest Microsoft security patch for Windows/Windows Server as released by Microsoft (expected in regular or out-of-band security updates); (2) If patches are unavailable, implement network-level mitigations: restrict access to RRAS ports (typically UDP 500, 1194, 1701, 443 for VPN protocols) using firewall rules; restrict RRAS access to trusted source IP ranges; (3) Disable RRAS on systems where it is not required; (4) Enable strong authentication (MFA/2FA) on VPN and remote access endpoints to reduce credential compromise risk; (5) Monitor RRAS logs for suspicious protocol messages and unexpected connection attempts; (6) Implement network segmentation to isolate RRAS infrastructure. Check Microsoft Security Update Guide (https://msrc.microsoft.com) and Windows Server Security Updates for specific KB articles and patch versions. Vendor advisories will provide definitive remediation guidance with specific build numbers.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today