CVE-2025-60713
📋 TL;DR
CVE-2025-60713 is a local privilege escalation vulnerability in Windows Routing and Remote Access Service (RRAS) where an authenticated attacker can exploit untrusted pointer dereference to gain SYSTEM privileges. This affects Windows systems with RRAS enabled, primarily impacting enterprise environments using remote access or routing features. Attackers must already have local access to the system to exploit this vulnerability.
💻 Affected Systems
- Windows Routing and Remote Access Service (RRAS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement across the network.
Likely Case
An attacker with standard user privileges elevates to SYSTEM to install malware, steal credentials, or bypass security controls on the compromised host.
If Mitigated
With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.
🎯 Exploit Status
Requires local authenticated access and knowledge of exploitation techniques for pointer dereference vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60713
Restart Required: Yes
Instructions:
1. Apply the latest Windows security updates from Microsoft. 2. Restart affected systems. 3. Verify RRAS service is running correctly post-patch.
🔧 Temporary Workarounds
Disable RRAS Service
windowsStop and disable the Routing and Remote Access Service if not required
sc stop RemoteAccess
sc config RemoteAccess start= disabled
Restrict Local Access
allImplement strict access controls to limit who can log into systems with RRAS enabled
🧯 If You Can't Patch
- Disable RRAS service on all non-essential systems
- Implement network segmentation to isolate systems with RRAS enabled
🔍 How to Verify
Check if Vulnerable:
Check if RRAS service is running: 'sc query RemoteAccess' and verify Windows version against affected versions in Microsoft advisoryCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains the relevant security update and RRAS service remains functional📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation events in Windows Security logs
- RRAS service crashes or unexpected restarts
- Process creation with SYSTEM privileges from non-admin users
Network Indicators:
- Unusual network routing changes from RRAS systems
- Unexpected VPN or remote access connections
SIEM Query:
EventID=4672 AND SubjectUserName!=*$ AND NewProcessName contains 'cmd.exe' OR 'powershell.exe'