CVE-2024-26205
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running the Routing and Remote Access Service (RRAS) without authentication. Attackers can exploit this heap-based buffer overflow (CWE-122) to gain SYSTEM privileges on affected systems. All Windows systems with RRAS enabled are potentially vulnerable.
💻 Affected Systems
- Windows Routing and Remote Access Service (RRAS)
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling attackers to install malware, steal data, pivot to other systems, or create persistent backdoors.
Likely Case
Remote code execution leading to ransomware deployment, credential theft, or lateral movement within the network.
If Mitigated
Limited impact if RRAS is disabled or properly firewalled, with attackers unable to reach the vulnerable service.
🎯 Exploit Status
Microsoft has rated this as 'Exploitation More Likely' in their advisory. The CWE-122 classification suggests a heap-based buffer overflow that could be reliably exploited.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: April 2024 security updates (KB5036893 for Windows 10, KB5036895 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26205
Restart Required: Yes
Instructions:
1. Apply the April 2024 security updates from Windows Update. 2. For enterprise environments, deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable RRAS Service
windowsCompletely disables the vulnerable Routing and Remote Access Service
sc config RemoteAccess start= disabled
sc stop RemoteAccess
Block RRAS Ports
windowsBlocks network access to RRAS ports (TCP 1723, UDP 1701, UDP 500, UDP 4500)
netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=1701,500,4500
🧯 If You Can't Patch
- Disable RRAS service if not required for business operations
- Implement strict network segmentation and firewall rules to block external and lateral access to RRAS ports
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: Get-Service RemoteAccess | Select Status, StartTypeCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify patch installation: Get-HotFix -Id KB5036893 (or relevant KB for your OS version)📡 Detection & Monitoring
Log Indicators:
- Event ID 4625 (failed logon) from RRAS service
- Unexpected process creation from svchost.exe with RRAS parameters
- Crash dumps from rasserver.exe
Network Indicators:
- Unusual traffic to RRAS ports (TCP 1723, UDP 1701, 500, 4500) from unexpected sources
- Malformed packets targeting RRAS service
SIEM Query:
source="windows" AND (event_id=4625 AND service_name="RemoteAccess") OR (process_name="rasserver.exe" AND parent_process="svchost.exe")