CVE-2024-30024 Overview
CVE-2024-30024 is a remote code execution vulnerability affecting the Windows Routing and Remote Access Service (RRAS). Microsoft disclosed the issue on May 14, 2024 as part of its monthly security update cycle. The flaw is categorized under [CWE-197] (Numeric Truncation Error) and carries a CVSS 3.1 base score of 7.5. Successful exploitation can allow an attacker to execute arbitrary code on systems where RRAS is enabled. Exploitation requires user interaction and a network-reachable target, and the attack complexity is rated High. The vulnerability impacts a broad range of Windows client and server versions still in active deployment.
Critical Impact
An attacker who successfully exploits this flaw can achieve remote code execution against Windows hosts running RRAS, with full impact to confidentiality, integrity, and availability.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2) and Windows 11 (21H2, 22H2, 23H2)
- Microsoft Windows Server 2008 SP2, 2008 R2 SP1, 2012, and 2012 R2
- Microsoft Windows Server 2016, 2019, 2022, and 2022 23H2
Discovery Timeline
- 2024-05-14 - CVE-2024-30024 published to the National Vulnerability Database
- 2024-05-14 - Microsoft released the security advisory and patch through the Microsoft Security Update Guide
- 2025-01-08 - Last updated in NVD database
Technical Details for CVE-2024-30024
Vulnerability Analysis
The vulnerability resides in the Windows Routing and Remote Access Service, a Microsoft component that provides routing, dial-up, VPN, and NAT capabilities for Windows servers and clients. RRAS processes inbound network traffic from clients attempting to connect to remote-access endpoints. The flaw stems from a numeric truncation error during message parsing, classified under [CWE-197]. When the service handles attacker-supplied integer values, it converts between data widths in a way that can shrink or misrepresent the original value. The truncated value is then used in subsequent memory operations, leading to memory corruption that an attacker can leverage for arbitrary code execution.
Root Cause
The root cause is improper handling of integer size conversions within RRAS request processing logic. Larger integer values are cast to smaller types without validating that the original value fits within the destination type. This produces incorrect length or offset calculations, which downstream code trusts when allocating or copying buffers.
Attack Vector
The attack vector is network-based. An attacker sends specially crafted requests to a target Windows host where RRAS is configured and reachable. Exploitation requires user interaction, which raises the bar for successful attacks. Microsoft also rates attack complexity as High, indicating that the attacker must win specific conditions or perform additional preparation to trigger the vulnerable code path reliably. According to the Exploit Prediction Scoring System, the issue sits in the 82.9th percentile, indicating meaningful real-world exploitation likelihood relative to other published CVEs.
No verified public proof-of-concept code has been published. For technical specifics, refer to the Microsoft Security Update Guide.
Detection Methods for CVE-2024-30024
Indicators of Compromise
- Unexpected crashes or restarts of the RemoteAccess service or its host process on systems running RRAS
- Anomalous inbound traffic to RRAS-related ports such as TCP 1723 (PPTP), UDP 500/4500 (IKE/IPsec), and protocol 47 (GRE)
- New or unexpected child processes spawned by RRAS service binaries
- Outbound connections from RRAS hosts to unfamiliar external infrastructure following inbound connection attempts
Detection Strategies
- Inventory all Windows hosts where RRAS is installed and enabled, and confirm patch status against the Microsoft May 2024 updates
- Inspect Windows event logs for repeated RRAS service errors, access violations, or faulting modules tied to the RRAS service
- Apply network IDS/IPS signatures focused on malformed RRAS, PPTP, and L2TP traffic patterns
Monitoring Recommendations
- Monitor for process-creation events where RRAS service binaries spawn shells, scripting engines, or LOLBins
- Track authentication attempts and connection failures against RRAS endpoints to identify reconnaissance activity
- Alert on RRAS service stop, start, or configuration changes outside of approved maintenance windows
How to Mitigate CVE-2024-30024
Immediate Actions Required
- Apply the Microsoft security updates released on May 14, 2024 for all affected Windows client and server versions
- Identify systems where RRAS is enabled and prioritize patching those hosts first
- Restrict network exposure of RRAS endpoints to trusted networks and VPN clients only
- Validate that legacy systems such as Windows Server 2008 and 2012 are covered under Extended Security Updates or isolated from untrusted networks
Patch Information
Microsoft published patches concurrent with disclosure. Refer to the Microsoft Security Update Guide for CVE-2024-30024 for KB numbers and download links matched to each supported Windows version. Patching is the only complete remediation.
Workarounds
- Disable the Routing and Remote Access service on hosts where it is not required for business operations
- Block inbound RRAS-related protocols at the perimeter firewall for hosts that do not need to accept external remote-access connections
- Place RRAS servers behind a hardened gateway and require authenticated VPN access before reaching the RRAS listener
# Check RRAS service status and disable if not required
Get-Service -Name RemoteAccess
Set-Service -Name RemoteAccess -StartupType Disabled
Stop-Service -Name RemoteAccess
# Verify installed updates after patching
Get-HotFix | Sort-Object -Property InstalledOn -Descending
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
