CVE-2022-35769 Overview
CVE-2022-35769 is a Denial of Service vulnerability affecting the Windows Point-to-Point Protocol (PPP) implementation across a wide range of Microsoft Windows operating systems. The vulnerability allows remote attackers to cause a denial of service condition by sending specially crafted network packets to systems with PPP enabled. This can result in service disruption without requiring any user interaction or authentication.
Critical Impact
Remote attackers can disrupt network connectivity and service availability across affected Windows systems by exploiting improper resource handling in the PPP protocol implementation, potentially affecting enterprise VPN connections and remote access services.
Affected Products
- Microsoft Windows 10 (multiple versions including 1607, 1809, 20H2, 21H1, 21H2)
- Microsoft Windows 11 (x64 and ARM64)
- Microsoft Windows 7 SP1
- Microsoft Windows 8.1
- Microsoft Windows RT 8.1
- Microsoft Windows Server 2008 SP2 and R2 SP1
- Microsoft Windows Server 2012 and R2
- Microsoft Windows Server 2016 (including 20H2)
- Microsoft Windows Server 2019
- Microsoft Windows Server 2022
Discovery Timeline
- August 9, 2022 - CVE-2022-35769 published to NVD
- May 29, 2025 - Last updated in NVD database
Technical Details for CVE-2022-35769
Vulnerability Analysis
This vulnerability resides in the Windows Point-to-Point Protocol (PPP) implementation, a core network protocol used for establishing direct connections between two network nodes. PPP is commonly utilized in VPN connections, dial-up networking, and various remote access scenarios. The vulnerability enables unauthenticated remote attackers to trigger a denial of service condition by sending malicious network traffic to the target system.
The attack requires no user interaction, making it particularly dangerous in enterprise environments where PPP services may be exposed to network access. The vulnerability affects both client and server versions of Windows, spanning from legacy systems like Windows 7 and Server 2008 to modern releases including Windows 11 and Server 2022.
Root Cause
The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption), indicating that the PPP implementation fails to properly limit or manage resource consumption when processing certain network input. This allows attackers to exhaust system resources or trigger an unhandled condition that results in service unavailability. The improper resource handling in the PPP stack can be exploited remotely without authentication, as the vulnerability exists in the protocol's packet processing logic.
Attack Vector
The attack is executed over the network, requiring no privileges or user interaction. An attacker can remotely target any Windows system with PPP services enabled or accessible. The exploitation involves sending specially crafted PPP packets that trigger the resource exhaustion condition, leading to denial of service. Systems configured as VPN servers, Remote Access Service (RAS) endpoints, or those accepting PPP connections are particularly at risk.
The vulnerability manifests when the Windows PPP implementation processes malformed or excessive protocol requests. Attackers can craft network packets that exploit the resource handling weakness, causing the affected system to become unresponsive or terminate PPP-related services. For detailed technical information, refer to the Microsoft Security Update Guide for CVE-2022-35769.
Detection Methods for CVE-2022-35769
Indicators of Compromise
- Unusual volume of PPP protocol traffic from external sources
- System event logs showing PPP service crashes or restarts
- Network monitoring alerts for malformed PPP packets
- Unexpected termination of Remote Access Service (RAS) or VPN connections
Detection Strategies
- Deploy network intrusion detection systems (NIDS) with signatures for anomalous PPP traffic patterns
- Monitor Windows Event Logs for PPP-related errors, specifically in the System and Application logs
- Implement traffic analysis to detect unusual connection attempts to PPP services
- Use SentinelOne's behavioral AI to identify abnormal network stack behavior indicative of DoS attacks
Monitoring Recommendations
- Enable verbose logging for Remote Access Service (RAS) and PPP components
- Configure alerts for repeated PPP service failures or unexpected restarts
- Monitor network interfaces handling PPP connections for traffic anomalies
- Implement baseline monitoring for PPP connection volumes and patterns
How to Mitigate CVE-2022-35769
Immediate Actions Required
- Apply the August 2022 Microsoft security updates immediately on all affected systems
- Restrict network access to PPP services to trusted IP ranges only
- Disable PPP services on systems where they are not required
- Implement network segmentation to limit exposure of systems running PPP services
Patch Information
Microsoft released security updates addressing this vulnerability as part of the August 2022 Patch Tuesday release. Organizations should apply the applicable security updates from the Microsoft Security Update Guide for CVE-2022-35769 based on their specific Windows versions. The patches address the underlying resource handling issue in the PPP implementation.
Workarounds
- Disable the Routing and Remote Access Service (RRAS) if not required for business operations
- Use firewall rules to block external access to PPP-related ports and services
- Implement network-level access controls to restrict PPP connections to authorized endpoints
- Consider migrating to alternative VPN solutions that do not rely on PPP for remote access
# Disable Routing and Remote Access Service if not needed
sc config RemoteAccess start= disabled
sc stop RemoteAccess
# Verify PPP-related services status
sc query RasMan
sc query RemoteAccess
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
