CVE-2022-35769 Overview
CVE-2022-35769 is a denial of service vulnerability in the Windows Point-to-Point Protocol (PPP) implementation. The flaw affects a broad range of Microsoft Windows client and server operating systems, from Windows 7 SP1 through Windows 11 and Windows Server 2022. An unauthenticated attacker on the network can send crafted PPP traffic to exhaust resources or crash the affected service, resulting in service disruption. The vulnerability is tracked under [CWE-400] Uncontrolled Resource Consumption. Microsoft addressed the issue through its August 2022 Patch Tuesday release.
Critical Impact
A remote, unauthenticated attacker can trigger a denial of service condition on Windows systems exposing the PPP protocol, with an EPSS percentile of 95.5 indicating elevated exploitation likelihood relative to other CVEs.
Affected Products
- Microsoft Windows 10 (multiple builds: 1607, 1809, 20H2, 21H1, 21H2)
- Microsoft Windows 11 and Windows 7 SP1, Windows 8.1, Windows RT 8.1
- Microsoft Windows Server 2008, 2012, 2016, 2019, and 2022
Discovery Timeline
- 2022-08-09 - CVE-2022-35769 published to NVD
- 2025-05-29 - Last updated in NVD database
Technical Details for CVE-2022-35769
Vulnerability Analysis
The vulnerability resides in the Windows Point-to-Point Protocol (PPP) component, which provides data-link layer functionality for dial-up, VPN, and tunneling connections such as PPTP and L2TP. An attacker delivers a malformed PPP packet that the protocol stack fails to validate, leading to uncontrolled resource consumption [CWE-400]. The result is service degradation or a system-level denial of service that disrupts availability without exposing data confidentiality or integrity. Because the impact is service availability, the issue is most consequential for VPN concentrators, RAS servers, and any Windows host accepting PPP-based connections from untrusted networks.
Root Cause
The defect stems from improper handling of attacker-controlled fields within PPP frames. Insufficient bounds or state validation in packet processing allows a single crafted message to consume CPU, memory, or kernel resources disproportionately. Microsoft classifies the weakness under [CWE-400] Uncontrolled Resource Consumption.
Attack Vector
Exploitation occurs over the network with no authentication and no user interaction. An attacker capable of reaching the PPP service — for example, a server exposing PPTP/L2TP on UDP 1701, TCP 1723, or via GRE — can submit malformed PPP traffic. Successful delivery crashes or stalls the service, severing legitimate VPN sessions. No public proof-of-concept exploit is referenced in the NVD entry, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Microsoft Security Update Guide for CVE-2022-35769 for vendor technical detail.
Detection Methods for CVE-2022-35769
Indicators of Compromise
- Unexpected termination or repeated restarts of Windows RRAS, RasMan, or related PPP services on edge VPN servers.
- Spikes in inbound traffic to TCP 1723 (PPTP), UDP 1701 (L2TP), or GRE protocol 47 from unfamiliar source IPs.
- Event Log entries indicating service crashes, kernel faults, or abnormal resource exhaustion correlated with VPN endpoint timeouts.
Detection Strategies
- Inspect perimeter firewall and IDS/IPS logs for malformed PPP, PPTP, or L2TP frames originating from untrusted networks.
- Correlate Windows Event IDs for Routing and Remote Access service failures with network captures of preceding PPP negotiation traffic.
- Establish baselines for VPN session counts and identify abrupt drops that align with crafted packet bursts.
Monitoring Recommendations
- Enable verbose logging on RRAS and RasMan services and forward events to a centralized SIEM for correlation.
- Monitor CPU, non-paged pool, and handle counts on VPN servers for sudden anomalies during PPP negotiations.
- Alert on repeated connection attempts to PPP-related ports from a single source within short time windows.
How to Mitigate CVE-2022-35769
Immediate Actions Required
- Apply the August 2022 Microsoft security updates to all affected Windows client and server SKUs without delay.
- Inventory systems running RRAS, PPTP, or L2TP services and prioritize internet-facing VPN concentrators for patching.
- Restrict exposure of PPP-related ports at the network perimeter to known administrative source addresses only.
Patch Information
Microsoft released fixes for CVE-2022-35769 as part of the August 2022 Patch Tuesday cycle. Detailed update KB numbers per Windows version and build are available in the Microsoft Security Update Guide for CVE-2022-35769. Administrators should validate that the corresponding cumulative update or monthly rollup has been installed on every affected host.
Workarounds
- Disable the Routing and Remote Access Service (RRAS) on systems that do not require PPP, PPTP, or L2TP connectivity.
- Block TCP 1723, UDP 1701, and GRE protocol 47 at the network edge where remote VPN is not in use.
- Place VPN endpoints behind protocol-aware firewalls or IPS sensors configured to drop malformed PPP frames.
# Disable Routing and Remote Access on a Windows server where PPP is not required
sc.exe config RemoteAccess start= disabled
sc.exe stop RemoteAccess
# Block PPTP and L2TP at the host firewall as a temporary mitigation
netsh advfirewall firewall add rule name="Block PPTP 1723" dir=in action=block protocol=TCP localport=1723
netsh advfirewall firewall add rule name="Block L2TP 1701" dir=in action=block protocol=UDP localport=1701
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
