CVE-2025-59510
📋 TL;DR
This vulnerability in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to create symbolic links that cause the service to access unintended files, leading to local denial of service. It affects systems running Windows with RRAS enabled. Attackers must have local authenticated access to exploit this flaw.
💻 Affected Systems
- Windows Routing and Remote Access Service (RRAS)
📦 What is this software?
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
Windows 11 25h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
An attacker could cause RRAS to crash or become unresponsive, disrupting network routing and remote access services on the affected system.
Likely Case
Local authenticated users could temporarily disrupt RRAS functionality, affecting VPN connections and routing services until service restart.
If Mitigated
With proper access controls and monitoring, impact is limited to temporary service disruption that can be quickly restored.
🎯 Exploit Status
Requires local authenticated access and knowledge of symbolic link techniques. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59510
Restart Required: Yes
Instructions:
1. Apply latest Windows security updates from Microsoft. 2. Verify RRAS service is updated. 3. Restart system if required by update.
🔧 Temporary Workarounds
Disable RRAS if not needed
windowsDisable Routing and Remote Access Service if not required for business operations
sc config RemoteAccess start= disabled
net stop RemoteAccess
Restrict local user access
windowsImplement strict access controls to limit which users can log into RRAS servers
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to RRAS servers
- Monitor RRAS service health and implement automated restart procedures for service failures
🔍 How to Verify
Check if Vulnerable:
Check if RRAS is enabled and running, then verify Windows version against affected versions in Microsoft advisoryCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history for relevant security patches and confirm RRAS service version📡 Detection & Monitoring
Log Indicators:
- RRAS service crashes or unexpected restarts
- Event ID 7023 or 7024 in System logs for service failures
- Unusual symbolic link creation events
Network Indicators:
- Sudden loss of VPN connectivity
- Routing table inconsistencies
SIEM Query:
EventID=7023 AND ServiceName="RemoteAccess" OR EventID=4663 AND ObjectName LIKE "%RRAS%"