CVE-2025-54096
📋 TL;DR
An out-of-bounds read vulnerability in Windows Routing and Remote Access Service (RRAS) allows unauthorized attackers to read sensitive memory contents over the network. This affects Windows systems with RRAS enabled, potentially exposing system information or credentials. The vulnerability requires network access to the RRAS service.
💻 Affected Systems
- Windows Routing and Remote Access Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive memory contents including credentials, cryptographic keys, or other system information, leading to privilege escalation or lateral movement.
Likely Case
Information disclosure of system memory contents, potentially revealing configuration details or partial data that could aid further attacks.
If Mitigated
Limited information disclosure with no direct code execution, contained by network segmentation and proper access controls.
🎯 Exploit Status
Exploitation requires network access to RRAS service and understanding of memory layout. No authentication required once network access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update for specific KB number
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54096
Restart Required: Yes
Instructions:
1. Apply latest Windows security updates from Microsoft. 2. Verify RRAS service is updated. 3. Restart system if required by update.
🔧 Temporary Workarounds
Disable RRAS if not needed
WindowsDisable Routing and Remote Access Service if not required for business operations
sc config RemoteAccess start= disabled
net stop RemoteAccess
Network segmentation
WindowsRestrict network access to RRAS service using firewall rules
New-NetFirewallRule -DisplayName "Block RRAS" -Direction Inbound -Protocol TCP -LocalPort 1723 -Action Block
🧯 If You Can't Patch
- Implement strict network access controls to limit RRAS exposure
- Monitor RRAS service logs for unusual access patterns or connection attempts
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is enabled and running: sc query RemoteAccessCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows update KB number is installed: wmic qfe list | findstr KB📡 Detection & Monitoring
Log Indicators:
- Unusual RRAS service access attempts
- Multiple failed connection attempts to RRAS
- RRAS service crashes or unexpected restarts
Network Indicators:
- Unusual traffic patterns to RRAS ports (typically 1723 for PPTP)
- Network scans targeting RRAS services
SIEM Query:
source="windows" AND (service="RemoteAccess" OR port=1723) AND (event_type="connection" OR event_type="access")