CVE-2023-28224
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems by exploiting a flaw in the Point-to-Point Protocol over Ethernet (PPPoE) component. Attackers could gain SYSTEM-level privileges on affected systems. This affects Windows systems with PPPoE enabled, particularly those using broadband connections.
💻 Affected Systems
- Windows 10
- Windows 11
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker gains SYSTEM privileges and full control of the target system, potentially leading to complete compromise, data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Remote code execution with SYSTEM privileges, allowing attackers to install malware, create backdoors, steal credentials, or pivot to other systems.
If Mitigated
Limited impact due to network segmentation, firewall rules blocking PPPoE traffic, or systems already patched.
🎯 Exploit Status
Microsoft has not disclosed exploitation details, but the vulnerability is remotely exploitable without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: April 2023 security updates (KB5025221 for Windows 10, KB5025239 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28224
Restart Required: Yes
Instructions:
1. Apply April 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after patching.
🔧 Temporary Workarounds
Disable PPPoE Service
windowsDisable the PPPoE service if not required for network connectivity
sc config RasMan start= disabled
sc stop RasMan
Block PPPoE Ports
allBlock PPPoE traffic at network perimeter
🧯 If You Can't Patch
- Segment networks to isolate systems using PPPoE
- Implement strict firewall rules to block PPPoE traffic from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if April 2023 security updates are installed via 'systeminfo' command or Windows Update historyCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify KB5025221 (Windows 10) or KB5025239 (Windows 11) is installed in Installed Updates📡 Detection & Monitoring
Log Indicators:
- Unusual PPPoE connection attempts
- RasMan service crashes
- Unexpected SYSTEM privilege processes
Network Indicators:
- Malformed PPPoE packets
- PPPoE traffic from unexpected sources
SIEM Query:
EventID=4688 AND NewProcessName="*" AND SubjectUserName="SYSTEM" AND ParentProcessName="svchost.exe" AND ParentProcessCommandLine="*RasMan*"