CVE-2024-30022: Windows 10 1507 RRAS RCE Vulnerability

CVE-2024-30022 Overview

CVE-2024-30022 is a remote code execution vulnerability in the Windows Routing and Remote Access Service (RRAS). The flaw affects a broad range of Microsoft Windows client and server editions, from Windows 10 1507 through Windows 11 23H2 and Windows Server 2008 through Windows Server 2022 23H2. Microsoft disclosed the issue in its May 2024 Patch Tuesday release. The underlying weakness is classified as a numeric truncation error [CWE-197], which can allow an attacker to corrupt RRAS processing and execute code in the context of the service. Successful exploitation requires user interaction and high attack complexity over the network.

Critical Impact

Remote attackers who win a race or trick a user into a specific action can execute arbitrary code via RRAS, leading to full confidentiality, integrity, and availability impact on affected Windows systems.

Affected Products

• Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
• Microsoft Windows 11 (21H2, 22H2, 23H2)
• Microsoft Windows Server 2008, 2012, 2012 R2, 2016, 2019, 2022, and 2022 23H2

Discovery Timeline

• 2024-05-14 - CVE-2024-30022 published to NVD by Microsoft
• 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-30022

Vulnerability Analysis

The vulnerability resides in the Windows Routing and Remote Access Service (RRAS), an optional role that provides routing, dial-up, VPN, and NAT services on Windows. RRAS handles complex network protocol parsing on behalf of multiple subsystems. Improper handling of integer values during this parsing creates the conditions required for memory corruption and code execution. Exploitation requires user interaction, which suggests an attacker must convince a victim to connect to a malicious endpoint or trigger a specific RRAS code path. High attack complexity indicates that exploitation depends on conditions outside the attacker's direct control, such as timing or memory layout.

Root Cause

The root cause is a numeric truncation error [CWE-197]. When RRAS processes attacker-controlled network input, a larger integer value is converted into a smaller integer type without adequate validation. The truncated value is then used in size calculations or buffer indexing, allowing data to be written or read outside the intended bounds. This out-of-bounds access corrupts memory used by the RRAS service and creates a path to arbitrary code execution within the service context.

Attack Vector

The attack is network-based and does not require prior authentication, but the attacker must induce user interaction to reach the vulnerable code path. A typical scenario involves convincing a user with an RRAS-enabled system to initiate a connection toward an attacker-controlled server, which then returns crafted protocol responses that trigger the truncation defect. Systems that do not have the RRAS role enabled are not exposed to this vector. Refer to the Microsoft CVE-2024-30022 Advisory for vendor-confirmed technical scope.

No public proof-of-concept or in-the-wild exploitation has been reported, and the issue is not listed in the CISA KEV catalog. See the Microsoft Security Response Center advisory for protocol-level details.

Detection Methods for CVE-2024-30022

Indicators of Compromise

• Unexpected crashes, restarts, or access violations in the RemoteAccess service or its hosting svchost.exe instance.
• New or unusual child processes spawned by the RRAS service host outside of routine administrative activity.
• Anomalous outbound connections from RRAS-enabled hosts to untrusted internet endpoints during user-initiated VPN or dial-up sessions.

Detection Strategies

• Inventory all Windows systems with the Routing and Remote Access role enabled and confirm patch level against the May 2024 security update for each affected build.
• Hunt for process anomalies tied to the RRAS service host, including unexpected module loads and post-exploitation behavior such as credential access or lateral movement primitives.
• Correlate Windows Event Log entries from the RemoteAccess source with EDR telemetry to surface crash-then-execute sequences indicative of memory corruption exploitation.

Monitoring Recommendations

• Forward Windows Event Logs, Sysmon process and network telemetry, and EDR alerts from RRAS-enabled servers into a centralized analytics pipeline for retrospective hunting.
• Alert on first-seen child processes of svchost.exe instances hosting RemoteAccess, especially cmd.exe, powershell.exe, or scripting engines.
• Track service stop, start, and configuration change events for RRAS to detect tampering that often accompanies exploitation.

How to Mitigate CVE-2024-30022

Immediate Actions Required

• Apply the May 2024 Microsoft security update referenced in the Microsoft CVE-2024-30022 Advisory to all affected Windows client and server builds.
• Disable the Routing and Remote Access role on systems that do not require RRAS functionality to remove the attack surface entirely.
• Restrict outbound connectivity from RRAS-enabled hosts and limit which users can initiate VPN or dial-up sessions from those systems.

Patch Information

Microsoft released fixes for CVE-2024-30022 as part of the May 14, 2024 security updates. Administrators should consult the Microsoft Security Response Center advisory for the specific KB article and build numbers that correspond to each affected Windows release. Apply updates through Windows Update, WSUS, Microsoft Update Catalog, or your standard patch management tooling and verify installation on every RRAS-enabled host.

Workarounds

• Stop and disable the RemoteAccess service on hosts where RRAS is not operationally required until patches can be staged.
• Place RRAS endpoints behind network segmentation and firewall rules that restrict access to known, trusted peers only.
• Enforce user-awareness controls and conditional access policies to reduce the likelihood that users initiate connections to attacker-controlled RRAS endpoints.