Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2023-21548

CVE-2023-21548: Windows 10 1607 SSTP RCE Vulnerability

CVE-2023-21548 is a remote code execution vulnerability in Windows Secure Socket Tunneling Protocol (SSTP) affecting Windows 10 1607. Attackers can exploit this flaw to execute arbitrary code. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2023-21548 Overview

CVE-2023-21548 is a Remote Code Execution (RCE) vulnerability affecting the Windows Secure Socket Tunneling Protocol (SSTP) service. SSTP is a VPN tunneling protocol that allows PPP traffic to be encapsulated over an HTTPS connection, commonly used in Windows environments for secure remote access. This vulnerability allows an unauthenticated attacker to execute arbitrary code on affected systems by sending specially crafted requests to the SSTP service over the network.

Critical Impact

Successful exploitation enables remote attackers to execute arbitrary code with SYSTEM privileges on vulnerable Windows systems without requiring authentication, potentially leading to complete system compromise.

Affected Products

  • Microsoft Windows 10 (versions 1607, 1809, 20H2, 21H2, 22H2)
  • Microsoft Windows 11 (versions 21H2, 22H2)
  • Microsoft Windows 7 SP1
  • Microsoft Windows 8.1 and Windows RT 8.1
  • Microsoft Windows Server 2008 SP2 and R2 SP1
  • Microsoft Windows Server 2012 and R2
  • Microsoft Windows Server 2016, 2019, 2022

Discovery Timeline

  • 2023-01-10 - CVE-2023-21548 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-21548

Vulnerability Analysis

This vulnerability resides in the Windows SSTP service, which handles VPN connections over HTTPS. The flaw is classified under CWE-591 (Sensitive Data Storage in Improperly Locked Memory), indicating that the vulnerability involves improper handling of memory operations within the SSTP protocol implementation. Due to the network-based attack vector, exploitation does not require any privileges or user interaction, though the attack complexity is considered high, meaning specific conditions must be met for successful exploitation.

When successfully exploited, an attacker gains the ability to execute code with the highest system privileges, potentially leading to complete compromise of confidentiality, integrity, and availability of the affected system. The SSTP service typically runs with elevated privileges to manage network tunnel operations, making it an attractive target for remote attackers.

Root Cause

The root cause of CVE-2023-21548 stems from improper memory handling within the SSTP service implementation. The vulnerability is associated with sensitive data being stored in improperly locked memory (CWE-591), which can lead to memory corruption conditions that an attacker can leverage for code execution. The SSTP protocol implementation fails to properly validate or secure memory operations during protocol processing, creating an exploitable condition.

Attack Vector

The attack vector for CVE-2023-21548 is network-based, targeting systems with the SSTP service enabled and exposed to network traffic. An attacker can exploit this vulnerability by:

  1. Identifying systems with the Routing and Remote Access Service (RRAS) enabled and configured for SSTP VPN connections
  2. Sending specially crafted SSTP protocol messages to the target system over HTTPS (typically port 443)
  3. Triggering the memory corruption condition through malformed protocol data
  4. Achieving code execution with SYSTEM-level privileges

The vulnerability does not require authentication, though the high attack complexity indicates that timing or specific conditions may need to be met for reliable exploitation.

Detection Methods for CVE-2023-21548

Indicators of Compromise

  • Unusual or malformed SSTP protocol traffic on port 443 targeting VPN-enabled servers
  • Unexpected crashes or restarts of the Routing and Remote Access Service (RRAS)
  • System instability or abnormal memory usage patterns in SSTP-related processes
  • Evidence of unauthorized code execution or new processes spawned by system services

Detection Strategies

  • Monitor network traffic for anomalous SSTP protocol communications, particularly malformed or oversized packets
  • Implement endpoint detection rules to identify unusual behavior from sstpsvc.dll or RRAS-related processes
  • Deploy intrusion detection signatures to identify exploitation attempts targeting SSTP services
  • Enable Windows Event logging for Remote Access services to capture potential attack indicators

Monitoring Recommendations

  • Configure SIEM solutions to alert on repeated connection attempts to SSTP services from untrusted sources
  • Monitor for unexpected service crashes or restarts of the Remote Access service (RemoteAccess)
  • Implement network segmentation logging to track access attempts to VPN infrastructure
  • Review Windows Security logs for process creation events associated with RRAS services

How to Mitigate CVE-2023-21548

Immediate Actions Required

  • Apply the Microsoft security update for CVE-2023-21548 immediately on all affected systems
  • Prioritize patching for systems with SSTP VPN services exposed to the internet
  • Conduct an inventory of all systems running Routing and Remote Access Service (RRAS)
  • Review firewall rules to ensure SSTP services are only accessible from trusted networks

Patch Information

Microsoft released security updates addressing CVE-2023-21548 as part of the January 2023 Patch Tuesday release. Organizations should obtain the appropriate security update from the Microsoft Security Update Guide for CVE-2023-21548. The patch corrects the memory handling issues in the SSTP service implementation that allow remote code execution.

Workarounds

  • If SSTP VPN functionality is not required, disable the Routing and Remote Access Service (RRAS) on affected systems
  • Restrict network access to SSTP services through firewall rules, limiting connections to trusted IP ranges only
  • Consider transitioning to alternative VPN protocols such as IKEv2 until patching is complete
  • Implement network-level filtering to block potentially malicious SSTP traffic at perimeter devices
bash
# Disable RRAS service as a temporary workaround
Stop-Service -Name "RemoteAccess" -Force
Set-Service -Name "RemoteAccess" -StartupType Disabled

# Verify service status
Get-Service -Name "RemoteAccess" | Select-Object Name, Status, StartType

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne