CVE-2025-53797
📋 TL;DR
A buffer over-read vulnerability in Windows Routing and Remote Access Service (RRAS) allows unauthorized attackers to read sensitive memory contents over the network. This could lead to information disclosure of system data or credentials. All Windows systems with RRAS enabled are potentially affected.
💻 Affected Systems
- Windows Routing and Remote Access Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains access to sensitive memory contents including credentials, encryption keys, or other privileged information leading to full system compromise.
Likely Case
Limited information disclosure of adjacent memory contents, potentially revealing system information or partial data structures.
If Mitigated
No impact if RRAS is disabled or properly firewalled; limited to network-accessible RRAS services only.
🎯 Exploit Status
Exploitation requires network access to RRAS service; no authentication needed but requires specific malformed packets.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest Windows security updates for affected versions
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53797
Restart Required: Yes
Instructions:
1. Apply latest Windows security updates via Windows Update. 2. For enterprise environments, deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable RRAS Service
WindowsDisable the Routing and Remote Access Service if not required
sc config RemoteAccess start= disabled
sc stop RemoteAccess
Network Segmentation
WindowsRestrict network access to RRAS service using firewall rules
netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723,1701,47
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=1701,500,4500
🧯 If You Can't Patch
- Disable RRAS service if not required for business operations
- Implement strict network segmentation and firewall rules to restrict access to RRAS ports
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: sc query RemoteAccess | findstr "RUNNING"Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history for latest security patches and check RRAS service version📡 Detection & Monitoring
Log Indicators:
- Event ID 20185 in Windows System logs related to RRAS
- Unusual network connections to RRAS ports (1723, 1701, 47, 500, 4500)
Network Indicators:
- Unusual traffic patterns to RRAS ports
- Malformed packets targeting RRAS service
SIEM Query:
source="Windows" AND (event_id=20185 OR service="RemoteAccess") AND (action="stop" OR action="error")