CVE-2025-53798
📋 TL;DR
A buffer over-read vulnerability in Windows Routing and Remote Access Service (RRAS) allows unauthorized attackers to read beyond allocated memory boundaries, potentially disclosing sensitive information from system memory. This affects Windows systems with RRAS enabled, particularly those configured for VPN or routing services. Attackers can exploit this over a network without authentication.
💻 Affected Systems
- Windows Routing and Remote Access Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive data from system memory including credentials, encryption keys, or other process data, leading to complete system compromise through information disclosure.
Likely Case
Information disclosure of adjacent memory contents, potentially revealing system information or partial data that could aid further attacks.
If Mitigated
Limited information disclosure with no direct code execution, but still revealing system state information.
🎯 Exploit Status
Exploitation requires network access to RRAS service. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53798
Restart Required: Yes
Instructions:
1. Apply latest Windows security updates from Microsoft Update. 2. Ensure RRAS service is restarted after patch installation. 3. Verify patch installation via Windows Update history.
🔧 Temporary Workarounds
Disable RRAS Service
WindowsTemporarily disable Routing and Remote Access Service if not required
sc config RemoteAccess start= disabled
net stop RemoteAccess
Network Segmentation
WindowsRestrict network access to RRAS service using firewall rules
netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723,1701,47,50,51
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=500,4500
🧯 If You Can't Patch
- Disable RRAS service if not required for business operations
- Implement strict network segmentation and firewall rules to limit access to RRAS service
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: sc query RemoteAccess | findstr RUNNINGCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history for the specific security update KB number📡 Detection & Monitoring
Log Indicators:
- Unusual RRAS service restarts
- Failed authentication attempts to RRAS
- Multiple connection attempts to RRAS ports
Network Indicators:
- Unusual traffic patterns to RRAS ports (1723, 1701, 47, 50, 51, 500, 4500)
- Multiple connection attempts from single source
SIEM Query:
source="windows" AND (event_id=4625 OR event_id=4776) AND service_name="RemoteAccess"