Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-49104

CVE-2024-49104: Windows 10 1507 RRAS RCE Vulnerability

CVE-2024-49104 is a remote code execution vulnerability in Windows Routing and Remote Access Service (RRAS) affecting Windows 10 1507. Attackers can exploit this flaw to execute arbitrary code remotely. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2024-49104 Overview

CVE-2024-49104 is a remote code execution vulnerability in the Microsoft Windows Routing and Remote Access Service (RRAS). The flaw affects a broad range of Windows client and server versions, from Windows 10 1507 through Windows 11 24H2 and Windows Server 2008 through Windows Server 2025. Microsoft classifies the issue under [CWE-122] (Heap-based Buffer Overflow). Exploitation requires user interaction over a network, and a successful attack yields high impact to confidentiality, integrity, and availability. Microsoft addressed the issue in its December 2024 Patch Tuesday release.

Critical Impact

Successful exploitation allows an attacker to execute arbitrary code on systems running the Routing and Remote Access Service, leading to full compromise of the host.

Affected Products

  • Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2) and Windows 11 (22H2, 23H2, 24H2)
  • Microsoft Windows Server 2008 (SP2 and R2 SP1), 2012, 2012 R2, 2016, 2019
  • Microsoft Windows Server 2022, 2022 23H2, and 2025

Discovery Timeline

  • 2024-12-12 - CVE-2024-49104 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-49104

Vulnerability Analysis

The vulnerability resides in the Windows Routing and Remote Access Service, a component that provides routing, VPN, and dial-up remote access services for Windows hosts. The flaw is a heap-based buffer overflow ([CWE-122]) triggered when RRAS processes specially crafted input from a network source. An attacker who convinces a user to connect to or interact with a malicious server can corrupt heap memory in the RRAS process and gain code execution in its context.

The attack is network-reachable with low complexity and requires no prior privileges. However, user interaction is required, which generally means social engineering the target into initiating or accepting a connection. Microsoft has not reported public exploitation, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS model places this CVE in the 73rd percentile, indicating moderately elevated exploit likelihood relative to peers.

Root Cause

The root cause is improper validation of attacker-controlled data sizes or boundaries when RRAS allocates and writes into heap buffers. Out-of-bounds writes during the parsing or handling of remote access protocol data corrupt adjacent heap structures, enabling control of execution flow.

Attack Vector

A remote attacker hosts a malicious server or sends crafted traffic to an RRAS-enabled host. After the user initiates the connection, the malformed packet stream triggers the overflow inside the RRAS service, allowing the attacker to execute arbitrary code with the service's privileges. Refer to the Microsoft CVE-2024-49104 Update Guide for full vendor analysis.

Detection Methods for CVE-2024-49104

Indicators of Compromise

  • Unexpected crashes, restarts, or memory faults of the RemoteAccess service or svchost.exe instances hosting RRAS.
  • New or unusual outbound connections initiated from a host shortly after a user attempts a VPN or dial-up connection.
  • Creation of child processes by the RRAS service (for example, cmd.exe, powershell.exe, or rundll32.exe spawned from svchost.exe hosting RRAS).

Detection Strategies

  • Hunt for anomalous process lineage where the RRAS-hosting svchost.exe spawns interactive shells or scripting engines.
  • Correlate Windows Error Reporting (WER) and Application crash events referencing RRAS modules with subsequent suspicious network activity.
  • Inspect Windows Event Logs (System and Application channels) for RRAS service failures combined with privilege use events.

Monitoring Recommendations

  • Enable command-line and module load auditing on hosts where RRAS is enabled, particularly RAS gateways and VPN servers.
  • Monitor inbound and outbound RRAS-related ports and protocols (PPTP/GRE, L2TP/IPsec, SSTP) for unusual peers or volumes.
  • Alert on configuration changes to the RemoteAccess service start type or binary path.

How to Mitigate CVE-2024-49104

Immediate Actions Required

  • Apply Microsoft's December 2024 security updates to all affected Windows client and Server SKUs listed in the advisory.
  • Inventory hosts where the Routing and Remote Access role or service is installed and prioritize them for patching.
  • Restrict who can initiate outbound VPN or remote access connections to untrusted networks until patching completes.

Patch Information

Microsoft released fixes for CVE-2024-49104 in the December 2024 Patch Tuesday cycle. Refer to the Microsoft CVE-2024-49104 Update Guide for the specific KB articles and update packages mapped to each affected build.

Workarounds

  • Disable the Routing and Remote Access Service on hosts that do not require it, setting the RemoteAccess service start type to Disabled.
  • Block outbound connections to untrusted RRAS or VPN endpoints at the perimeter firewall to reduce exposure to user-initiated attacks.
  • Train users to avoid connecting to unsolicited VPN or remote access endpoints, since exploitation requires user interaction.
bash
# Disable the Routing and Remote Access service on hosts that do not need it
sc.exe config RemoteAccess start= disabled
sc.exe stop RemoteAccess

# Verify current state
sc.exe query RemoteAccess

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.