CVE-2025-21410 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-21410?

CVE-2025-21410 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on Windows systems running Routing and Remote Access Service (RRAS) by exploiting a heap-based buffer overflow. It affects Windows servers and workstations with RRAS enabled, particularly those configured as VPN servers or routers. Attackers can potentially gain SYSTEM privileges on vulnerable systems.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Windows systems running Routing and Remote Access Service (RRAS) by exploiting a heap-based buffer overflow. It affects Windows servers and workstations with RRAS enabled, particularly those configured as VPN servers or routers. Attackers can potentially gain SYSTEM privileges on vulnerable systems.

💻 Affected Systems

Products:

Windows Routing and Remote Access Service (RRAS)

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if RRAS role/service is installed and enabled. Default Windows installations do not have RRAS enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling attackers to install malware, steal credentials, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Remote code execution leading to ransomware deployment, data exfiltration, or creation of backdoors for future attacks.

🟢

If Mitigated

Limited impact due to network segmentation, proper access controls, and monitoring that detects exploitation attempts.

🌐 Internet-Facing: HIGH - RRAS servers exposed to the internet (VPN gateways) are directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal RRAS servers are vulnerable to compromised internal hosts or lateral movement attempts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

CWE-122 indicates heap-based buffer overflow. Exploitation requires sending specially crafted packets to RRAS service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: March 2025 security updates (KB5035853 for Windows 10, KB5035854 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21410

Restart Required: Yes

Instructions:

1. Apply March 2025 Windows security updates via Windows Update. 2. For enterprise: Deploy updates through WSUS, SCCM, or Intune. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Disable RRAS Service

Windows

Temporarily disable Routing and Remote Access Service if not required

sc config RemoteAccess start= disabled
net stop RemoteAccess

Block RRAS Ports

Windows

Block network access to RRAS ports (TCP 1723, UDP 1701, UDP 500, UDP 4500) at firewall

netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=1701,500,4500

🧯 If You Can't Patch

Disable RRAS service on all non-essential systems
Implement strict network segmentation to isolate RRAS servers from critical assets

🔍 How to Verify

Check if Vulnerable:

Check if RRAS service is running: sc query RemoteAccess | findstr RUNNING

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify March 2025 security updates are installed: wmic qfe list | findstr KB503585

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with RRAS process creation
Windows Security logs showing unexpected RRAS service crashes
Application logs with RRAS error codes

Network Indicators:

Unusual traffic patterns to RRAS ports (1723, 1701, 500, 4500)
Malformed packets targeting RRAS service

SIEM Query:

source="windows" (event_id=4688 AND process_name="svchost.exe" AND command_line="*RemoteAccess*") OR (event_id=1000 AND faulting_module="rascfg.dll")

📊 Metadata

CVE ID: CVE-2025-21410

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.66% exploit probability (70.6th percentile)

Published: February 11, 2025

Last Updated: February 14, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21410 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21410, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable RRAS Service

Block RRAS Ports

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities