CVE-2024-26200
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running Routing and Remote Access Service (RRAS) without authentication. Attackers can exploit this heap-based buffer overflow (CWE-122) to gain SYSTEM privileges on affected systems. Organizations using Windows servers with RRAS enabled are at risk.
💻 Affected Systems
- Windows Server
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling attackers to install malware, steal credentials, pivot to other systems, and establish persistent access.
Likely Case
Remote code execution leading to ransomware deployment, data exfiltration, or lateral movement within the network.
If Mitigated
Limited impact if systems are patched, network segmentation prevents lateral movement, and RRAS is disabled on non-essential systems.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires no authentication and has low attack complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: April 2024 security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26200
Restart Required: Yes
Instructions:
1. Apply April 2024 Windows security updates via Windows Update. 2. For servers, use Windows Server Update Services (WSUS). 3. For manual updates, download from Microsoft Update Catalog. 4. Restart affected systems after patching.
🔧 Temporary Workarounds
Disable RRAS Service
windowsStop and disable the Routing and Remote Access Service if not required
sc stop RemoteAccess
sc config RemoteAccess start= disabled
Block RRAS Ports
windowsBlock network access to RRAS ports (TCP 1723, UDP 1701, UDP 500, UDP 4500)
netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=1701,500,4500
🧯 If You Can't Patch
- Disable RRAS service on all non-essential systems
- Implement strict network segmentation and firewall rules to isolate RRAS systems
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: 'sc query RemoteAccess' and verify Windows version with 'systeminfo | findstr /B /C:"OS Name" /C:"OS Version"'Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify April 2024 security updates are installed: 'wmic qfe list | findstr "KB5036893"' and confirm RRAS service is disabled or patched📡 Detection & Monitoring
Log Indicators:
- Event ID 4625 failed logons to RRAS service
- Event ID 4688 new process creation from RRAS service
- Unexpected service crashes in System logs
Network Indicators:
- Unusual traffic to RRAS ports (1723, 1701, 500, 4500) from unexpected sources
- Suspicious network connections originating from RRAS servers
SIEM Query:
source="windows" (event_id=4625 AND service_name="RemoteAccess") OR (event_id=4688 AND parent_process_name="svchost.exe" AND parent_process_command_line="*RemoteAccess*")