CVE-2024-43607
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Windows systems running Routing and Remote Access Service (RRAS). Attackers can exploit this without authentication to gain SYSTEM privileges on affected systems. Organizations using Windows servers with RRAS enabled are primarily affected.
💻 Affected Systems
- Windows Routing and Remote Access Service (RRAS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling attackers to install malware, steal data, pivot to other systems, and maintain persistent access.
Likely Case
Initial foothold for ransomware deployment, credential harvesting, or lateral movement within corporate networks.
If Mitigated
Limited impact if RRAS is disabled or properly firewalled, with attackers unable to reach the vulnerable service.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires no authentication and has low attack complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 2024 security updates (KB5037768 for Windows 11, KB5037765 for Windows 10, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43607
Restart Required: Yes
Instructions:
1. Apply May 2024 Windows security updates from Windows Update. 2. For enterprise environments, deploy updates via WSUS or Microsoft Endpoint Configuration Manager. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable RRAS Service
windowsCompletely disable the Routing and Remote Access Service if not required.
sc config RemoteAccess start= disabled
sc stop RemoteAccess
Block RRAS Ports
allBlock network access to RRAS ports (TCP 1723, UDP 1701, UDP 500, UDP 4500) at firewalls.
🧯 If You Can't Patch
- Disable RRAS service immediately if not required for business operations
- Implement strict network segmentation and firewall rules to isolate RRAS servers from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: 'sc query RemoteAccess' and verify Windows version is unpatched.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify May 2024 security updates are installed via 'systeminfo' or 'Get-Hotfix -Id KB5037768' (adjust KB number for your OS).📡 Detection & Monitoring
Log Indicators:
- Event ID 4625 (failed logon) from RRAS service
- Unexpected process creation from svchost.exe related to RemoteAccess service
- Windows Security logs showing exploitation attempts
Network Indicators:
- Unusual traffic to RRAS ports (1723, 1701, 500, 4500) from unexpected sources
- Suspicious network connections to RRAS service
SIEM Query:
source="Windows Security" AND (event_id=4625 OR event_id=4688) AND process_name="svchost.exe" AND service_name="RemoteAccess"