CVE-2024-30022
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running the Routing and Remote Access Service (RRAS). Attackers can exploit this without authentication to gain SYSTEM privileges on affected systems. All Windows systems with RRAS enabled are potentially vulnerable.
💻 Affected Systems
- Windows Routing and Remote Access Service (RRAS)
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling attackers to install malware, steal data, pivot to other systems, or disrupt network operations.
Likely Case
Initial foothold for ransomware deployment, credential theft, or lateral movement within enterprise networks.
If Mitigated
Limited impact if RRAS is disabled or properly firewalled, though exploitation could still occur if attackers bypass perimeter controls.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires no authentication and has low attack complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 2024 security updates (KB5037771 for Windows 11, KB5037765 for Windows 10, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30022
Restart Required: Yes
Instructions:
1. Apply May 2024 Windows security updates from Windows Update or Microsoft Update Catalog. 2. Restart the system to complete installation. 3. Verify the update is installed via winver or systeminfo.
🔧 Temporary Workarounds
Disable RRAS Service
windowsStop and disable the Routing and Remote Access Service if not required.
sc stop RemoteAccess
sc config RemoteAccess start= disabled
Block RRAS Ports
windowsConfigure firewall to block RRAS ports (TCP 1723, UDP 1701, UDP 500, UDP 4500).
netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=1701,500,4500
🧯 If You Can't Patch
- Disable RRAS service immediately if not required for business operations
- Implement strict network segmentation and firewall rules to isolate RRAS servers from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: sc query RemoteAccess | findstr RUNNING. If running and system is unpatched, it's vulnerable.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify May 2024 security updates are installed: systeminfo | findstr "KB5037771 KB5037765 KB5037768 KB5037769"📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with RRAS process creation
- Unexpected RRAS service restarts
- Security log events showing SYSTEM privilege escalation
Network Indicators:
- Unusual traffic to RRAS ports (1723, 1701, 500, 4500) from unexpected sources
- Suspicious network connections originating from RRAS servers
SIEM Query:
source="windows" AND (event_id=4688 AND process_name="*rras*" OR service_name="RemoteAccess")