CVE-2025-54097
📋 TL;DR
An out-of-bounds read vulnerability in Windows Routing and Remote Access Service (RRAS) allows unauthorized attackers to read sensitive memory contents over the network. This affects Windows systems with RRAS enabled, potentially exposing system information or credentials. The vulnerability requires network access to the RRAS service.
💻 Affected Systems
- Windows Routing and Remote Access Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive memory contents including credentials, cryptographic keys, or other system information, potentially leading to further system compromise.
Likely Case
Information disclosure of system memory contents, which could include partial data useful for further attacks or reconnaissance.
If Mitigated
Limited information disclosure with no direct code execution or system takeover capabilities.
🎯 Exploit Status
Exploitation requires network access to RRAS service and knowledge of triggering conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update for specific KB number
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54097
Restart Required: Yes
Instructions:
1. Apply latest Windows security updates from Microsoft. 2. Verify RRAS service is updated. 3. Restart system if required by update.
🔧 Temporary Workarounds
Disable RRAS if not needed
WindowsDisable Routing and Remote Access Service if not required for business operations
sc config RemoteAccess start= disabled
net stop RemoteAccess
Network segmentation
WindowsRestrict network access to RRAS service using firewall rules
netsh advfirewall firewall add rule name="Block RRAS" dir=in action=block protocol=TCP localport=1723,1701,47
netsh advfirewall firewall add rule name="Block RRAS UDP" dir=in action=block protocol=UDP localport=500,4500
🧯 If You Can't Patch
- Disable RRAS service entirely if not required
- Implement strict network access controls to limit exposure to RRAS service
🔍 How to Verify
Check if Vulnerable:
Check if RRAS is enabled and running: sc query RemoteAccessCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains the relevant security update KB number📡 Detection & Monitoring
Log Indicators:
- Unusual RRAS service crashes in Event Viewer
- Multiple failed connection attempts to RRAS ports
- Unexpected memory access patterns in RRAS logs
Network Indicators:
- Unusual traffic patterns to RRAS ports (1723, 1701, 47, 500, 4500)
- Multiple connection attempts from single sources
SIEM Query:
source="windows" AND (event_id=1000 OR event_id=1001) AND process_name="svchost.exe" AND service="RemoteAccess"