CVE-2025-26668

Q: What is the severity of CVE-2025-26668?

CVE-2025-26668 has a CVSS score of 7.5 (HIGH). A heap-based buffer overflow vulnerability in Windows Routing and Remote Access Service (RRAS) allows remote unauthenticated attackers to execute arbitrary code on affected systems. This affects Windows servers and workstations with RRAS enabled, potentially allowing complete system compromise over the network.

7.5 HIGH

Remote Code Execution Buffer Overflow

📋 TL;DR

A heap-based buffer overflow vulnerability in Windows Routing and Remote Access Service (RRAS) allows remote unauthenticated attackers to execute arbitrary code on affected systems. This affects Windows servers and workstations with RRAS enabled, potentially allowing complete system compromise over the network.

💻 Affected Systems

Products:

Windows Routing and Remote Access Service (RRAS)

Versions: Windows Server 2019, Windows Server 2022, Windows 10, Windows 11 (specific versions to be confirmed via Microsoft advisory)

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when RRAS is enabled and configured. Default Windows installations typically do not have RRAS enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, lateral movement within the network, and installation of persistent backdoors or ransomware.

🟠

Likely Case

Remote code execution with SYSTEM privileges, enabling attackers to steal credentials, deploy malware, or pivot to other systems.

🟢

If Mitigated

Limited impact if network segmentation, firewalls, and endpoint protection block exploitation attempts.

🌐 Internet-Facing: HIGH - RRAS services exposed to the internet are directly vulnerable to remote exploitation without authentication.

🏢 Internal Only: MEDIUM - Internal systems with RRAS enabled are vulnerable to attackers who gain initial network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability description indicates network-based exploitation without authentication, suggesting relatively straightforward exploitation once details are known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: To be determined from Microsoft's monthly security updates

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26668

Restart Required: Yes

Instructions:

1. Apply the latest Windows security updates from Microsoft. 2. Restart affected systems. 3. Verify RRAS service is running the patched version.

🔧 Temporary Workarounds

Disable RRAS Service

windows

Temporarily disable the Routing and Remote Access Service if not required

sc config RemoteAccess start= disabled
net stop RemoteAccess

Block RRAS Ports

windows

Block network access to RRAS ports (typically TCP 1723, UDP 1701, UDP 500, UDP 4500)

netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=1701,500,4500

🧯 If You Can't Patch

Disable RRAS service on all non-essential systems
Implement strict network segmentation and firewall rules to limit RRAS access to trusted networks only

🔍 How to Verify

Check if Vulnerable:

Check if RRAS is enabled: sc query RemoteAccess | findstr RUNNING. If running, check Windows version against affected versions in Microsoft advisory.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows is updated to the patched version and RRAS service is running. Check event logs for any RRAS-related errors.

📡 Detection & Monitoring

Log Indicators:

Unexpected RRAS service crashes (Event ID 1000, 1001)
Unusual network connections to RRAS ports
Failed authentication attempts to RRAS

Network Indicators:

Unusual traffic patterns to RRAS ports (TCP 1723, UDP 1701, 500, 4500)
Malformed packets targeting RRAS service

SIEM Query:

source="windows" AND (event_id=1000 OR event_id=1001) AND process_name="svchost.exe" AND service_name="RemoteAccess"

📊 Metadata

CVE ID: CVE-2025-26668

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.31% exploit probability (53.4th percentile)

Published: April 8, 2025

Last Updated: July 9, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26668 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable RRAS Service

Block RRAS Ports

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities