A critical heap-based buffer overflow vulnerability has been identified in the Windows Routing and Remote Access Service (RRAS). This flaw allows an unauthenticated attacker to remotely execute arbitrary code on a vulnerable server, potentially leading to a complete system compromise. Organizations utilizing Windows RRAS for VPN or routing capabilities are at high risk and must take immediate action to prevent exploitation.

This vulnerability is a heap-based buffer overflow within the Windows RRAS service. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted network packet to an affected server. The service fails to properly validate the size of the data within the packet, causing it to write beyond the boundaries of an allocated memory buffer on the heap. This memory corruption can be leveraged by the attacker to overwrite critical data structures and execute arbitrary code with the permissions of the RRAS service, which typically runs with SYSTEM-level privileges.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could lead to a complete compromise of the affected RRAS server. The potential consequences include theft of sensitive data, disruption of network services, and the server being used as a foothold to launch further attacks against the internal network. Since RRAS servers are often internet-facing to provide VPN access, they represent a high-value target for attackers, and a compromise could have significant reputational and operational impacts.

Immediate Action: Immediately apply the security updates released by the vendor for all affected Windows Server versions. Prioritize patching for all internet-facing RRAS servers to mitigate the risk of external attack. After patching, verify that the RRAS service is functioning correctly.

Proactive Monitoring: Monitor RRAS event logs for unusual connection patterns, service crashes, or unexpected error messages. Implement network traffic analysis to detect anomalous packets directed at RRAS ports (e.g., PPTP TCP/1723, L2TP UDP/1701). Monitor system processes for any unexpected child processes spawning from the RRAS service (svchost.exe -k RemoteAccess).

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Use a firewall to restrict access to the RRAS service ports to only known, trusted IP address ranges.
• Deploy an Intrusion Prevention System (IPS) with updated signatures capable of detecting and blocking exploit attempts targeting this specific vulnerability.
• Disable any unused RRAS features to reduce the overall attack surface of the service.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the risk of unauthenticated remote code execution, this vulnerability poses a critical threat to the organization. We recommend that this vulnerability be treated with the highest priority and that the vendor-supplied patches be applied within the emergency patching window. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime candidate for future inclusion. All internet-facing RRAS servers should be considered compromised until patched and thoroughly inspected for signs of malicious activity.