A high-severity vulnerability has been identified in the Windows Routing and Remote Access Service (RRAS), which could allow a local attacker to gain full administrative control over a vulnerable system. An attacker who already has basic user access can exploit this flaw to elevate their privileges to the SYSTEM level, leading to a complete system compromise. This poses a significant risk to the confidentiality, integrity, and availability of the affected assets.

This vulnerability is an untrusted pointer dereference within the Windows Routing and Remote Access Service (RRAS). An attacker with existing low-privilege access to a target system can exploit this flaw by sending a specially crafted input to the RRAS service. This action causes the service to use a memory pointer that the attacker has influenced, leading to memory corruption and enabling the execution of arbitrary code with the elevated privileges of the RRAS service, which typically runs as SYSTEM.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation would result in a local privilege escalation, granting an attacker complete control over the compromised system. This could lead to the theft or modification of sensitive data, installation of persistent malware like backdoors or ransomware, and disruption of critical business services. If exploited on a key server, it could also serve as a pivot point for lateral movement, enabling the attacker to compromise the wider network environment.

Immediate Action:

• Apply the security updates provided by the vendor to all affected systems immediately.
• Initiate monitoring for signs of exploitation, focusing on systems running the RRAS service.
• Review system and security logs for any anomalous activity related to the RRAS service process.

Proactive Monitoring:

• Log Analysis: Scrutinize Windows Event Logs (System, Security, Application) for crashes or unexpected restarts of the Remote Access service (svchost.exe).
• Endpoint Detection: Utilize Endpoint Detection and Response (EDR) solutions to monitor for suspicious process behavior, such as unusual child processes spawning from the RRAS service or memory injection attempts targeting its process space.
• Network Traffic: While the exploit is local, monitor for any post-exploitation activity or command-and-control (C2) communication originating from compromised hosts.

Compensating Controls:

• Disable Unused Services: If the Routing and Remote Access Service is not essential for a system's function, disable it to completely remove the attack surface.
• Principle of Least Privilege: Enforce strict access controls to limit the number of authorized users on critical systems, reducing the pool of potential attackers.
• Application Control: Implement application whitelisting solutions (e.g., AppLocker, WDAC) to prevent the execution of unauthorized code, which could thwart the final stage of an exploit.

Public Exploit Available: false

Given the high severity (CVSS 7.8) and the critical impact of a successful privilege escalation attack, immediate patching is strongly recommended. Organizations should prioritize the deployment of the vendor's security update on all vulnerable systems, particularly multi-user workstations, terminal servers, and critical infrastructure servers where local access is more common. Although this vulnerability is not yet on the CISA KEV list, its nature makes it a prime target for future exploitation, and a proactive patching and monitoring stance is essential to mitigate risk.