CVE-2024-43589 Overview
CVE-2024-43589 is a remote code execution vulnerability in the Windows Routing and Remote Access Service (RRAS). The flaw affects multiple Windows Server versions from 2008 through 2022 23H2. An attacker can exploit the issue over the network to execute arbitrary code on a vulnerable host, provided the target user performs an action (UI:R). Microsoft assigned the vulnerability a CVSS 3.1 base score of 8.8 and categorized it under [CWE-122] Heap-based Buffer Overflow. The EPSS probability is 1.397% (68.9th percentile), indicating measurable exploit interest relative to the broader CVE population. No public proof-of-concept exploit is currently catalogued, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Critical Impact
Successful exploitation grants remote code execution with high impact to confidentiality, integrity, and availability on Windows Server hosts running RRAS.
Affected Products
- Microsoft Windows Server 2008 SP2 (x86, x64) and Server 2008 R2 SP1
- Microsoft Windows Server 2012 and Server 2012 R2
- Microsoft Windows Server 2016, Server 2019, Server 2022, and Server 2022 23H2
Discovery Timeline
- 2024-10-08 - Microsoft published the CVE-2024-43589 advisory and released security updates
- 2024-10-08 - CVE-2024-43589 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-43589
Vulnerability Analysis
The Routing and Remote Access Service implements VPN, dial-up, and routing functionality on Windows Server. CVE-2024-43589 is a heap-based buffer overflow [CWE-122] in the RRAS code path that processes attacker-influenced data. When RRAS handles a crafted request, the service writes beyond the bounds of an allocated heap buffer. The corruption allows an attacker to overwrite adjacent heap structures and divert execution to attacker-controlled code in the context of the RRAS service.
The vulnerability requires user interaction, which typically maps to a client-side trigger such as an administrator connecting to a malicious server or opening attacker-supplied content that initiates the vulnerable code path. No prior authentication is required, and the attack complexity is low. Exploitation results in code execution with the privileges of the RRAS service.
Root Cause
The root cause is improper validation of length or boundary fields in a structure parsed by RRAS. The service allocates a fixed-size heap buffer and then copies attacker-controlled data into it without enforcing the destination size. The resulting out-of-bounds write corrupts heap metadata and adjacent objects, enabling control of execution flow.
Attack Vector
The attack vector is network-based. An attacker delivers a crafted protocol message or response that the targeted RRAS-enabled host processes after a user action. Because RRAS is exposed only when the role is installed and enabled, the population of vulnerable hosts is limited to servers configured as VPN, NAT, or routing endpoints. Microsoft has not released exploitation details, and no public proof-of-concept is currently available.
No verified public exploit code is available for CVE-2024-43589.
Refer to the Microsoft advisory for technical details:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43589
Detection Methods for CVE-2024-43589
Indicators of Compromise
- Unexpected crashes or restarts of the RemoteAccess service or svchost.exe instance hosting RRAS, recorded in the System event log
- Child processes spawned by the RRAS service host (for example, cmd.exe, powershell.exe, or rundll32.exe) that do not match baseline behavior
- Outbound network connections initiated by the RRAS service host to non-corporate or unknown destinations
Detection Strategies
- Hunt for process creation events where the parent is the svchost.exe hosting RRAS and the child is a scripting or shell binary
- Correlate Windows Error Reporting and Application Error events (Event ID 1000) referencing modules loaded by RRAS with subsequent service restarts
- Inspect RRAS connection logs for malformed protocol messages immediately preceding service faults
Monitoring Recommendations
- Enable command-line auditing and Sysmon process creation logging on all servers with the Remote Access role installed
- Forward RRAS, System, and Security event logs to a SIEM and alert on service crashes correlated with unusual outbound traffic
- Inventory and continuously track which servers expose RRAS to untrusted networks to prioritize patch and detection coverage
How to Mitigate CVE-2024-43589
Immediate Actions Required
- Apply the October 2024 Microsoft security updates referenced in the Microsoft CVE-2024-43589 advisory to every affected Windows Server build
- Identify all servers with the Routing and Remote Access role enabled and prioritize them for patching
- Restrict inbound and outbound RRAS-related traffic to known, trusted networks until patches are deployed
Patch Information
Microsoft released security updates for CVE-2024-43589 on October 8, 2024, covering Windows Server 2008 SP2, Server 2008 R2 SP1, Server 2012, Server 2012 R2, Server 2016, Server 2019, Server 2022, and Server 2022 23H2. Refer to the Microsoft Security Update Guide entry for the specific KB articles applicable to each operating system build.
Workarounds
- Disable the Routing and Remote Access service on systems that do not require VPN, NAT, or routing functionality
- Block RRAS-related ports at the perimeter where the service must remain installed but should not be reachable from untrusted networks
- Limit administrator interaction with untrusted remote servers, since exploitation requires user interaction
# Check whether the Routing and Remote Access service is running
sc.exe query RemoteAccess
# Stop and disable RRAS on hosts that do not need it
sc.exe stop RemoteAccess
sc.exe config RemoteAccess start= disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
