CVE-2025-55700
📋 TL;DR
An out-of-bounds read vulnerability in Windows Routing and Remote Access Service (RRAS) allows unauthorized attackers to read memory contents over the network, potentially exposing sensitive information. This affects Windows systems with RRAS enabled, particularly those configured for VPN or routing services.
💻 Affected Systems
- Windows Routing and Remote Access Service
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
Windows 11 25h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive memory contents including credentials, encryption keys, or other system data, leading to further compromise.
Likely Case
Information disclosure of random memory contents, potentially revealing system state or configuration details.
If Mitigated
Limited information exposure with no direct code execution or system compromise.
🎯 Exploit Status
Network-based attack requiring no authentication but specific knowledge of RRAS protocols
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update for specific KB number
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55700
Restart Required: Yes
Instructions:
1. Apply latest Windows security updates via Windows Update or WSUS. 2. Verify RRAS service restarts automatically after update. 3. Test VPN/routing functionality.
🔧 Temporary Workarounds
Disable RRAS if not needed
WindowsTurn off Routing and Remote Access Service if VPN/routing functionality is not required
sc config RemoteAccess start= disabled
net stop RemoteAccess
Network segmentation
allRestrict network access to RRAS ports (TCP 1723, UDP 1701, etc.) to trusted networks only
🧯 If You Can't Patch
- Implement strict network access controls to RRAS services
- Monitor RRAS logs for unusual connection attempts or memory access patterns
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running and Windows version matches affected versions in Microsoft advisoryCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains the relevant security update and RRAS service version📡 Detection & Monitoring
Log Indicators:
- Unusual RRAS service errors
- Memory access violations in Event Viewer
- Failed authentication attempts to RRAS
Network Indicators:
- Unusual traffic patterns to RRAS ports
- Multiple connection attempts from single sources
SIEM Query:
source="Windows Security" AND (event_id=4625 OR event_id=4688) AND process_name="svchost.exe" AND service_name="RemoteAccess"