CVE-2024-38154 Overview
CVE-2024-38154 is a remote code execution vulnerability in the Windows Routing and Remote Access Service (RRAS). The flaw affects multiple supported Windows Server releases from Server 2008 through Server 2022 23H2. Microsoft disclosed the issue as part of its August 2024 Patch Tuesday cycle. The weakness is tracked under [CWE-122] (heap-based buffer overflow) and carries a CVSS 3.1 score of 8.8. Successful exploitation requires the targeted user to interact with attacker-controlled content, after which the adversary can execute arbitrary code within the context of the RRAS service.
Critical Impact
An attacker can achieve remote code execution on a Windows Server running the Routing and Remote Access Service, leading to full compromise of confidentiality, integrity, and availability.
Affected Products
- Microsoft Windows Server 2008 SP2 and Windows Server 2008 R2 SP1 (x64)
- Microsoft Windows Server 2012 and Windows Server 2012 R2
- Microsoft Windows Server 2016, 2019, 2022, and 2022 23H2
Discovery Timeline
- 2024-08-13 - Microsoft releases security update for CVE-2024-38154
- 2024-08-13 - CVE-2024-38154 published to NVD
- 2024-08-16 - Last updated in NVD database
Technical Details for CVE-2024-38154
Vulnerability Analysis
The vulnerability resides in the Windows Routing and Remote Access Service (RRAS), a server role that provides routing, dial-up, VPN, and NAT functionality for Windows Server. The defect is classified as a heap-based buffer overflow under [CWE-122]. An attacker who can deliver crafted input to a vulnerable RRAS-enabled host can corrupt heap memory and steer execution into attacker-controlled code paths.
Exploitation is network-based and does not require prior authentication, but user interaction is required for the attack chain to complete. Microsoft's advisory characterizes the access complexity as low, meaning that once a target interacts with the malicious content, no specialized conditions need to be met to trigger the overflow. Successful exploitation grants code execution in the security context of the RRAS service, providing a foothold for lateral movement and persistence within the network.
Root Cause
The root cause is improper validation of attacker-supplied data sizes prior to a heap allocation or copy operation inside RRAS message handling. When the service processes a malformed routing or remote access message, data is written beyond the bounds of the allocated heap buffer, corrupting adjacent metadata or function pointers.
Attack Vector
The attack vector is network-based with required user interaction. A representative scenario involves coercing an administrator or service operator on a server running RRAS to connect to or process content from an attacker-controlled endpoint. The malformed traffic triggers the heap overflow within the RRAS process, enabling arbitrary code execution. No verified public proof-of-concept exploit is currently associated with this CVE, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The current EPSS probability is approximately 8.06% (92nd percentile), indicating elevated likelihood of exploitation relative to the broader CVE population.
No verified public exploitation code is available. Refer to the Microsoft Security Update CVE-2024-38154 advisory for vendor technical details.
Detection Methods for CVE-2024-38154
Indicators of Compromise
- Unexpected crashes, restarts, or access violations in the RemoteAccess service or the svchost.exe instance hosting RRAS.
- Child processes such as cmd.exe, powershell.exe, or rundll32.exe spawned by the RRAS service host.
- Anomalous inbound traffic to RRAS-related ports (PPTP TCP/1723, L2TP UDP/1701, SSTP TCP/443, IKE UDP/500/4500) from unexpected sources.
- New scheduled tasks, services, or autoruns created shortly after RRAS service anomalies on affected servers.
Detection Strategies
- Monitor Windows Event Logs for Service Control Manager events indicating unexpected termination or restart of the Routing and Remote Access service.
- Hunt for process tree anomalies where the RRAS service host launches interactive shells, scripting engines, or networking utilities.
- Inspect network telemetry for malformed routing/VPN protocol messages targeting RRAS endpoints.
Monitoring Recommendations
- Inventory all Windows Servers with the Routing and Remote Access role enabled and prioritize them for patch validation and telemetry coverage.
- Forward EDR, Sysmon, and Windows Security logs from RRAS hosts to a centralized analytics platform for correlation with network flow data.
- Establish alerting on new outbound connections initiated by the RRAS service host, which is uncommon during normal operation.
How to Mitigate CVE-2024-38154
Immediate Actions Required
- Apply the August 2024 Microsoft security updates referenced in the Microsoft Security Update CVE-2024-38154 advisory to all affected Windows Server versions.
- Audit which servers actually require the Routing and Remote Access role and disable it on any host where it is not needed.
- Restrict inbound access to RRAS protocols at the perimeter and internal firewalls to known administrative source ranges.
- Validate that endpoint protection is active on all RRAS hosts and capable of detecting post-exploitation behavior such as suspicious child processes.
Patch Information
Microsoft published fixes for CVE-2024-38154 on August 13, 2024 across Windows Server 2008 SP2, Server 2008 R2 SP1, Server 2012, Server 2012 R2, Server 2016, Server 2019, Server 2022, and Server 2022 23H2. Refer to the Microsoft Security Update CVE-2024-38154 advisory for the build numbers and KB articles applicable to each Windows Server SKU.
Workarounds
- Disable the Routing and Remote Access service on hosts that do not require routing, VPN, or dial-up functionality until the patch is applied.
- Block external access to RRAS-related ports (TCP/1723, UDP/1701, TCP/443 SSTP, UDP/500, UDP/4500) at the network boundary where the service is not exposed for legitimate use.
- Enforce network segmentation so that servers hosting RRAS are reachable only from administrative subnets and authorized VPN clients.
# Disable the Routing and Remote Access service on hosts that do not require it
sc.exe stop RemoteAccess
sc.exe config RemoteAccess start= disabled
# Verify the role is not installed (PowerShell)
Get-WindowsFeature -Name RemoteAccess, Routing
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
