CVE-2025-54095
📋 TL;DR
An out-of-bounds read vulnerability in Windows Routing and Remote Access Service (RRAS) allows unauthorized attackers to read sensitive memory contents over the network. This affects Windows systems with RRAS enabled, potentially exposing system information or credentials. The vulnerability requires network access to the RRAS service.
💻 Affected Systems
- Windows Routing and Remote Access Service (RRAS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive memory contents including credentials, encryption keys, or other system information, leading to privilege escalation or lateral movement.
Likely Case
Information disclosure of system memory contents, potentially revealing partial system information or application data.
If Mitigated
Limited information disclosure with no direct code execution or system compromise.
🎯 Exploit Status
Exploitation requires network access to the RRAS service and understanding of the specific memory layout. No authentication is required once network access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54095
Restart Required: Yes
Instructions:
1. Apply the latest Windows security updates from Microsoft. 2. Install the specific KB patch for this vulnerability. 3. Restart the system to complete the installation.
🔧 Temporary Workarounds
Disable RRAS Service
WindowsTemporarily disable the Routing and Remote Access Service if not required
sc config RemoteAccess start= disabled
net stop RemoteAccess
Network Segmentation
WindowsRestrict network access to RRAS services using firewall rules
netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723,1701,47
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=1701,500,4500
🧯 If You Can't Patch
- Disable RRAS service if not essential for operations
- Implement strict network access controls to limit exposure to RRAS ports
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: sc query RemoteAccess | findstr "RUNNING"Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains the relevant security patch KB number📡 Detection & Monitoring
Log Indicators:
- Unusual network connections to RRAS ports (1723, 1701, 47, 500, 4500)
- Windows Security Event logs showing unexpected service access
Network Indicators:
- Unusual traffic patterns to RRAS ports from unauthorized sources
- Multiple connection attempts to RRAS service
SIEM Query:
source="windows_security" AND (event_id=5156 OR event_id=5157) AND dest_port IN (1723, 1701, 47, 500, 4500) AND src_ip NOT IN (allowed_ips)