CVE-2025-24051

Q: What is the severity of CVE-2025-24051?

CVE-2025-24051 has a CVSS score of 8.8 (HIGH). A heap-based buffer overflow vulnerability in Windows Routing and Remote Access Service (RRAS) allows unauthenticated attackers to execute arbitrary code remotely over a network. This affects Windows systems with RRAS enabled, potentially giving attackers full system control. Organizations using Windows servers with routing or remote access features are at risk.

8.8 HIGH

Remote Code Execution Buffer Overflow

📋 TL;DR

A heap-based buffer overflow vulnerability in Windows Routing and Remote Access Service (RRAS) allows unauthenticated attackers to execute arbitrary code remotely over a network. This affects Windows systems with RRAS enabled, potentially giving attackers full system control. Organizations using Windows servers with routing or remote access features are at risk.

💻 Affected Systems

Products:

Windows Server
Windows

Versions: Specific versions to be confirmed via Microsoft advisory

Operating Systems: Windows Server, Windows

Default Config Vulnerable: ✅ No

Notes: Only systems with RRAS enabled and configured are vulnerable. Default Windows installations typically do not have RRAS enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to domain takeover, data exfiltration, ransomware deployment, and persistent backdoor installation across the network.

🟠

Likely Case

Initial foothold on vulnerable servers followed by lateral movement, credential harvesting, and deployment of additional malware payloads.

🟢

If Mitigated

Limited impact due to network segmentation, strict firewall rules, and immediate patching preventing successful exploitation.

🌐 Internet-Facing: HIGH - RRAS services exposed to the internet can be directly attacked without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this for lateral movement within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Network-based exploitation without authentication, but requires specific knowledge of RRAS protocol and memory layout.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: To be determined from Microsoft's monthly security updates

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24051

Restart Required: Yes

Instructions:

1. Apply the latest Windows security updates from Microsoft. 2. Ensure RRAS service is restarted after patching. 3. Verify the patch is applied using Windows Update history.

🔧 Temporary Workarounds

Disable RRAS Service

Windows

Temporarily disable the Routing and Remote Access Service if not required

sc config RemoteAccess start= disabled
net stop RemoteAccess

Block RRAS Ports

Windows

Block network access to RRAS ports (typically TCP 1723, UDP 1701, UDP 500)

netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=1701,500

🧯 If You Can't Patch

Implement strict network segmentation to isolate RRAS servers from critical assets
Deploy intrusion prevention systems with signatures for buffer overflow attacks on RRAS

🔍 How to Verify

Check if Vulnerable:

Check if RRAS service is running: 'sc query RemoteAccess' and verify Windows version is unpatched

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Check Windows Update history for the specific KB patch and verify RRAS service version

📡 Detection & Monitoring

Log Indicators:

Unusual RRAS service crashes in Event Viewer (Event ID 1000)
Multiple failed RRAS connection attempts from single source
Unexpected RRAS service restarts

Network Indicators:

Large volume of malformed packets to RRAS ports (1723, 1701, 500)
Unusual network traffic patterns from RRAS servers

SIEM Query:

source="windows" AND (event_id=1000 AND process_name="svchost.exe" AND service="RemoteAccess") OR (destination_port IN (1723, 1701, 500) AND packet_size>threshold)

📊 Metadata

CVE ID: CVE-2025-24051

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.4% exploit probability (59.8th percentile)

Published: March 11, 2025

Last Updated: July 2, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24051 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable RRAS Service

Block RRAS Ports

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities