CVE-2025-26664
📋 TL;DR
A buffer over-read vulnerability in Windows Routing and Remote Access Service (RRAS) allows unauthorized attackers to read beyond allocated memory boundaries, potentially disclosing sensitive information over the network. This affects Windows systems with RRAS enabled, particularly those configured for VPN or routing services.
💻 Affected Systems
- Windows Routing and Remote Access Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive memory contents including credentials, encryption keys, or other system data, leading to full system compromise through follow-on attacks.
Likely Case
Information disclosure of adjacent memory contents, potentially revealing system information or partial data that could aid further attacks.
If Mitigated
Limited information disclosure with no direct code execution, contained by network segmentation and proper access controls.
🎯 Exploit Status
Requires network access to RRAS service. No authentication needed but requires specific malformed packets.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Specific patch versions will be detailed in Microsoft's monthly security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26664
Restart Required: Yes
Instructions:
1. Apply latest Windows security updates from Microsoft Update. 2. Restart affected systems. 3. Verify RRAS service restarts properly.
🔧 Temporary Workarounds
Disable RRAS if not needed
windowsDisable Routing and Remote Access Service on systems where it's not required
sc config RemoteAccess start= disabled
net stop RemoteAccess
Network segmentation
windowsRestrict network access to RRAS service using firewall rules
New-NetFirewallRule -DisplayName "Block RRAS" -Direction Inbound -Protocol TCP -LocalPort 1723,1701,47 -Action Block
🧯 If You Can't Patch
- Implement strict network access controls to limit RRAS exposure
- Monitor RRAS service logs for unusual activity and connection attempts
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: Get-Service RemoteAccess | Select Status, StartTypeCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history for CVE-2025-26664 patch and confirm RRAS service version📡 Detection & Monitoring
Log Indicators:
- Unusual RRAS service crashes
- Failed authentication attempts to RRAS
- Large volume of malformed packets to RRAS ports
Network Indicators:
- Unusual traffic patterns to RRAS ports (1723, 1701, 47)
- Malformed packet attempts to RRAS service
SIEM Query:
source="windows" AND (event_id=4625 OR event_id=7034) AND service_name="RemoteAccess"