CVE-2023-35365
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running Routing and Remote Access Service (RRAS) without authentication. Attackers can exploit improper input validation to gain SYSTEM privileges on affected systems. Organizations using Windows servers with RRAS enabled are at risk.
💻 Affected Systems
- Windows Server
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges leading to data theft, ransomware deployment, lateral movement, and persistent backdoor installation.
Likely Case
Initial foothold for attackers to pivot through networks, deploy malware, and establish persistence on critical infrastructure.
If Mitigated
Limited impact with proper network segmentation, but still poses significant risk if RRAS is internet-facing.
🎯 Exploit Status
CVSS 9.8 indicates critical severity with low attack complexity and no authentication required. Microsoft has confirmed exploitation is more likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2023 security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35365
Restart Required: Yes
Instructions:
1. Apply July 2023 Windows Server security updates via Windows Update. 2. For manual installation, download appropriate KB from Microsoft Update Catalog. 3. Restart affected servers after patch installation.
🔧 Temporary Workarounds
Disable RRAS Service
windowsTemporarily disable Routing and Remote Access Service if not required
sc config RemoteAccess start= disabled
sc stop RemoteAccess
Block RRAS Ports
windowsBlock network access to RRAS ports (TCP 1723, UDP 1701, UDP 500)
netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=1701,500
🧯 If You Can't Patch
- Disable RRAS service immediately if not business-critical
- Implement strict network segmentation and firewall rules to isolate RRAS servers
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: sc query RemoteAccess | findstr RUNNINGCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify July 2023 security updates are installed: wmic qfe list | findstr "KB5028166"📡 Detection & Monitoring
Log Indicators:
- Event ID 4625 failed logons to RRAS service
- Unexpected process creation from svchost.exe with RRAS components
- Windows Security logs showing exploit attempts
Network Indicators:
- Unusual traffic to RRAS ports (1723, 1701, 500) from unexpected sources
- Multiple failed connection attempts followed by successful exploitation
SIEM Query:
source="Windows Security" AND (event_id=4625 OR event_id=4688) AND process_name="svchost.exe" AND service_name="RemoteAccess"