A critical remote code execution vulnerability, CVE-2025-62549, has been identified in the Windows Routing and Remote Access Service (RRAS). This flaw allows an unauthenticated attacker to take complete control of an affected server over the network, posing a significant risk of system compromise, data breach, and further network intrusion.

The vulnerability is an untrusted pointer dereference within the Windows Routing and Remote Access Service (RRAS). An unauthenticated attacker can exploit this flaw by sending a specially crafted network packet to a vulnerable server. When the RRAS service processes this malicious packet, it incorrectly uses a pointer controlled by the attacker to access a memory location, leading to memory corruption. This can be leveraged by the attacker to execute arbitrary code with the high-level privileges of the RRAS service, resulting in a full system compromise.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could lead to a complete compromise of the affected server, allowing an attacker to install malware, exfiltrate sensitive data, or disrupt business operations. Since RRAS is often used for VPN access and is typically exposed to the internet, a compromised server could serve as a pivot point for attackers to gain access to the internal corporate network. The potential consequences include significant financial loss, reputational damage, and regulatory penalties related to data breaches.

Immediate Action: Apply vendor-supplied security updates to all affected systems immediately. Prioritize patching for internet-facing systems running the RRAS service. After patching, monitor systems for any signs of compromise that may have occurred prior to the update and review relevant access and service logs for anomalous activity.

Proactive Monitoring: Implement enhanced monitoring of network traffic to and from servers running RRAS. Look for malformed packets or unusual traffic patterns that could indicate scanning or exploitation attempts. Monitor system and application logs for RRAS service crashes or memory-related errors. Utilize Endpoint Detection and Response (EDR) solutions to detect suspicious process behavior originating from the RRAS service, such as the spawning of command shells or PowerShell instances.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Restrict access to the RRAS service at the network perimeter by applying strict firewall rules, allowing connections only from trusted IP address ranges.
• Deploy a Network Intrusion Prevention System (NIPS) with updated signatures capable of detecting and blocking exploit attempts targeting this vulnerability.
• Disable the RRAS service on any systems where it is not essential for business operations.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the potential for complete system compromise by an unauthenticated attacker, this vulnerability presents a critical risk to the organization. All organizations using the affected software should treat this as a top priority for remediation. Although not currently listed on the CISA KEV list, its characteristics make it a likely candidate for future inclusion. We strongly recommend applying the vendor patch to all vulnerable systems within a 72-hour window, prioritizing internet-facing servers. If patching is delayed, the compensating controls listed above must be implemented immediately to mitigate the risk of exploitation.