CVE-2023-35367
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running the Routing and Remote Access Service (RRAS) without authentication. It affects Windows servers and workstations with RRAS enabled, potentially allowing complete system compromise. The high CVSS score of 9.8 indicates critical severity.
💻 Affected Systems
- Windows Routing and Remote Access Service (RRAS)
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with administrative privileges, enabling data theft, ransomware deployment, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution leading to system compromise, credential harvesting, and network reconnaissance for further attacks.
If Mitigated
Limited impact due to network segmentation, restricted RRAS access, and proper security controls preventing exploitation.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires no authentication and has low attack complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply July 2023 security updates or later
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35367
Restart Required: Yes
Instructions:
1. Apply July 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy patches through WSUS or SCCM. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable RRAS Service
windowsTemporarily disable the Routing and Remote Access Service if not required
sc config RemoteAccess start= disabled
sc stop RemoteAccess
Block RRAS Ports
windowsBlock network access to RRAS ports (typically TCP 1723, UDP 1701, UDP 500, UDP 4500)
netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=1701,500,4500
🧯 If You Can't Patch
- Disable RRAS service completely if not required for business operations
- Implement strict network segmentation and firewall rules to restrict access to RRAS services
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: Get-Service RemoteAccess | Select Status, StartTypeCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify July 2023 or later security updates are installed: Get-HotFix | Where-Object {$_.InstalledOn -ge '07/11/2023'}📡 Detection & Monitoring
Log Indicators:
- Event ID 4625 (failed logon) from RRAS service
- Unexpected process creation from svchost.exe related to RRAS
- Windows Security logs showing remote connection attempts to RRAS
Network Indicators:
- Unusual traffic to RRAS ports (TCP 1723, UDP 1701, UDP 500, UDP 4500) from unexpected sources
- Multiple connection attempts to RRAS service
SIEM Query:
source="windows_security" event_id=4625 service_name="RemoteAccess" OR destination_port IN (1723, 1701, 500, 4500) AND action="blocked"