CVE-2025-64678

Q: What is the severity of CVE-2025-64678?

CVE-2025-64678 has a CVSS score of 8.8 (HIGH). A heap-based buffer overflow vulnerability in Windows Routing and Remote Access Service (RRAS) allows remote unauthenticated attackers to execute arbitrary code on affected systems. This affects Windows servers and workstations with RRAS enabled, potentially allowing complete system compromise over the network.

8.8 HIGH

Remote Code Execution Buffer Overflow

📋 TL;DR

A heap-based buffer overflow vulnerability in Windows Routing and Remote Access Service (RRAS) allows remote unauthenticated attackers to execute arbitrary code on affected systems. This affects Windows servers and workstations with RRAS enabled, potentially allowing complete system compromise over the network.

💻 Affected Systems

Products:

Windows Routing and Remote Access Service (RRAS)

Versions: Specific Windows versions as listed in Microsoft advisory

Operating Systems: Windows Server, Windows Client

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when RRAS is enabled and configured. Default Windows installations typically do not have RRAS enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, lateral movement within the network, and potential ransomware deployment or data exfiltration.

🟠

Likely Case

Remote code execution resulting in system compromise, installation of backdoors, credential theft, and network persistence.

🟢

If Mitigated

Limited impact if network segmentation, firewalls, and proper access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH - RRAS services exposed to the internet are directly vulnerable to remote exploitation without authentication.

🏢 Internal Only: HIGH - Internal attackers or compromised systems can exploit this vulnerability to move laterally within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to RRAS service. No authentication needed for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64678

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates from Microsoft
2. Restart affected systems
3. Verify RRAS service is running with patched version

🔧 Temporary Workarounds

Disable RRAS Service

windows

Temporarily disable Routing and Remote Access Service if not required

sc config RemoteAccess start= disabled
net stop RemoteAccess

Network Segmentation

all

Restrict network access to RRAS service using firewalls

🧯 If You Can't Patch

Implement strict network segmentation to isolate RRAS servers
Deploy intrusion prevention systems with CVE-specific signatures
Monitor for exploitation attempts and anomalous RRAS traffic

🔍 How to Verify

Check if Vulnerable:

Check if RRAS is enabled and running on Windows systems. Review system logs for RRAS service status.

Check Version:

wmic service where name='RemoteAccess' get name,pathname,startmode

Verify Fix Applied:

Verify Windows Update history contains the relevant security patch. Check RRAS service version matches patched release.

📡 Detection & Monitoring

Log Indicators:

Unusual RRAS service crashes or restarts
Suspicious network connections to RRAS ports
Unexpected process creation from RRAS service

Network Indicators:

Anomalous traffic patterns to RRAS ports (typically TCP 1723, UDP 1701)
Exploit-like payloads in network traffic to RRAS services

SIEM Query:

source="windows" AND (event_id=7031 OR event_id=7034) AND service_name="RemoteAccess"

📊 Metadata

CVE ID: CVE-2025-64678

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.07% exploit probability (21.8th percentile)

Published: December 9, 2025

Last Updated: December 10, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64678 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 25h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable RRAS Service

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities