CVE-2025-26672

Q: What is the severity of CVE-2025-26672?

CVE-2025-26672 has a CVSS score of 6.5 (MEDIUM). A buffer over-read vulnerability in Windows Routing and Remote Access Service (RRAS) allows unauthorized attackers to read beyond allocated memory boundaries, potentially disclosing sensitive information from system memory. This affects Windows systems with RRAS enabled, particularly those exposed to network traffic.

6.5 MEDIUM

Buffer Overflow

📋 TL;DR

A buffer over-read vulnerability in Windows Routing and Remote Access Service (RRAS) allows unauthorized attackers to read beyond allocated memory boundaries, potentially disclosing sensitive information from system memory. This affects Windows systems with RRAS enabled, particularly those exposed to network traffic.

💻 Affected Systems

Products:

Windows Routing and Remote Access Service

Versions: Specific versions not yet detailed in public advisory

Operating Systems: Windows Server and Windows client versions with RRAS enabled

Default Config Vulnerable: ✅ No

Notes: Only systems with RRAS enabled and configured are vulnerable. Default Windows installations typically do not have RRAS enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive information from system memory, potentially exposing credentials, encryption keys, or other confidential data that could lead to further compromise.

🟠

Likely Case

Information disclosure of random memory contents, which could include fragments of sensitive data or system information useful for reconnaissance.

🟢

If Mitigated

Limited information disclosure with no direct code execution or system compromise.

🌐 Internet-Facing: MEDIUM - RRAS services exposed to the internet could be targeted, but exploitation requires network access to the service.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this to gather information about RRAS servers.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted network packets to the RRAS service. No authentication is required, but attackers need network access to the vulnerable service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific patch versions

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26672

Restart Required: Yes

Instructions:

1. Apply the latest Windows security updates from Microsoft. 2. Restart affected systems to complete the patch installation. 3. Verify RRAS service is running properly after restart.

🔧 Temporary Workarounds

Disable RRAS Service

windows

Temporarily disable the Routing and Remote Access Service if not required

sc config RemoteAccess start= disabled
net stop RemoteAccess

Network Segmentation

windows

Restrict network access to RRAS services using firewall rules

netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723,1701,47,50,51

🧯 If You Can't Patch

Implement strict network access controls to limit which systems can communicate with RRAS services
Monitor RRAS service logs for unusual connection attempts or memory access patterns

🔍 How to Verify

Check if Vulnerable:

Check if RRAS service is enabled and running: sc query RemoteAccess

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history shows the relevant security patch installed and RRAS service version matches patched version

📡 Detection & Monitoring

Log Indicators:

Unusual RRAS service crashes or restarts
Multiple connection attempts to RRAS ports from single sources
Memory access violations in Windows Event Logs

Network Indicators:

Unusual traffic patterns to RRAS ports (1723, 1701, 47, 50, 51)
Multiple malformed packets sent to RRAS service

SIEM Query:

EventID=1000 OR EventID=1001 AND SourceName="RemoteAccess" OR ProcessName="svchost.exe" AND CommandLine LIKE "%RemoteAccess%"

📊 Metadata

CVE ID: CVE-2025-26672

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-126

EPSS Score: 2.07% exploit probability (83.6th percentile)

Published: April 8, 2025

Last Updated: July 9, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26672 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable RRAS Service

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities