The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-49688

CVE-2025-49688: Windows Server 2012 RRAS RCE Vulnerability

CVE-2025-49688 is a remote code execution flaw in Windows Server 2012 Routing and Remote Access Service caused by a double free condition. Attackers can exploit this over the network to execute unauthorized code.

Published: April 29, 2026

CVE-2025-49688 Overview

A double free vulnerability exists in the Windows Routing and Remote Access Service (RRAS) that allows an unauthorized attacker to execute arbitrary code over a network. This memory corruption flaw occurs when the RRAS component improperly handles memory deallocation, causing the same memory region to be freed twice. An attacker who successfully exploits this vulnerability could gain full control over the affected system with the privileges of the RRAS service.

Critical Impact

Successful exploitation enables remote code execution on Windows Server systems running RRAS, potentially compromising network infrastructure and routing services across enterprise environments.

Affected Products

  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2022
  • Microsoft Windows Server 2022 23H2
  • Microsoft Windows Server 2025

Discovery Timeline

  • 2025-07-08 - CVE-2025-49688 published to NVD
  • 2025-07-15 - Last updated in NVD database

Technical Details for CVE-2025-49688

Vulnerability Analysis

CVE-2025-49688 is classified under CWE-415 (Double Free), a memory corruption vulnerability that occurs when a program attempts to free the same memory allocation more than once. In the context of Windows RRAS, this flaw resides in the service's handling of network routing data structures.

When memory is freed twice, it can lead to heap corruption, allowing an attacker to manipulate heap metadata and potentially achieve arbitrary code execution. The vulnerability is network-accessible, meaning an attacker does not need local access to the target system—only network connectivity to the RRAS service.

The attack requires user interaction, which typically manifests as a victim processing a maliciously crafted network packet or connecting to an attacker-controlled server. Upon successful exploitation, the attacker can achieve complete compromise of confidentiality, integrity, and availability on the target system.

Root Cause

The root cause of this vulnerability is improper memory management within the Windows Routing and Remote Access Service. Specifically, the RRAS component fails to properly track the state of allocated memory objects, leading to a scenario where the free() operation is called twice on the same memory pointer. This can occur when error handling paths or cleanup routines do not adequately nullify pointers after deallocation, or when reference counting mechanisms are incorrectly implemented.

Attack Vector

The attack vector for CVE-2025-49688 is network-based, targeting Windows Server systems with the Routing and Remote Access Service enabled. An attacker can craft malicious network traffic designed to trigger the double free condition in the RRAS memory handling routines.

The exploitation scenario typically involves:

  1. The attacker identifies a Windows Server system with RRAS enabled and accessible over the network
  2. Malicious network packets are sent to the RRAS service, designed to trigger improper memory handling
  3. The double free condition corrupts heap structures, allowing the attacker to control execution flow
  4. Arbitrary code is executed in the context of the RRAS service, potentially with SYSTEM-level privileges

The vulnerability requires user interaction to exploit, which may involve the target system processing specific network traffic or establishing a connection that triggers the vulnerable code path.

Detection Methods for CVE-2025-49688

Indicators of Compromise

  • Unexpected crashes or restarts of the Routing and Remote Access Service (RemoteAccess service)
  • Anomalous heap corruption errors in Windows Event Logs associated with svchost.exe hosting RRAS
  • Unusual outbound network connections from RRAS-related processes following service disruption
  • Memory access violations logged in Windows Error Reporting related to RRAS components

Detection Strategies

  • Deploy network intrusion detection signatures to identify anomalous traffic patterns targeting RRAS ports
  • Enable Windows Defender Exploit Guard to detect and block memory corruption exploitation attempts
  • Monitor for unusual process creation or command execution originating from RRAS service processes
  • Implement behavioral analysis to detect post-exploitation activities following RRAS service anomalies

Monitoring Recommendations

  • Configure centralized logging for Windows Server Event Logs, focusing on System and Application logs for RRAS-related events
  • Enable Windows Security Event ID monitoring for process creation (Event ID 4688) from RRAS-related processes
  • Utilize SentinelOne's real-time behavioral AI to detect memory corruption exploitation attempts and suspicious service behaviors
  • Monitor network traffic to and from systems running RRAS for anomalous patterns or unexpected remote connections

How to Mitigate CVE-2025-49688

Immediate Actions Required

  • Apply the latest Microsoft security updates for affected Windows Server versions immediately
  • Disable the Routing and Remote Access Service if it is not required in your environment
  • Implement network segmentation to limit exposure of systems running RRAS to untrusted networks
  • Enable Windows Defender Credential Guard and Exploit Guard for additional protection layers
  • Review firewall rules to restrict access to RRAS-related network ports from unauthorized sources

Patch Information

Microsoft has released security updates to address CVE-2025-49688. Organizations should consult the Microsoft Security Response Center Advisory for detailed patch information and download the appropriate updates for their Windows Server version.

Apply patches through Windows Update, Windows Server Update Services (WSUS), or Microsoft Update Catalog. Prioritize patching for internet-facing servers and systems with RRAS enabled in production environments.

Workarounds

  • Disable the Routing and Remote Access Service (RemoteAccess) if not operationally required using Set-Service -Name RemoteAccess -StartupType Disabled
  • Implement firewall rules to block inbound connections to RRAS ports from untrusted network segments
  • Use network-level authentication and VPN solutions as alternative routing mechanisms until patches are applied
  • Deploy application whitelisting to prevent unauthorized code execution on critical server infrastructure
bash
# Disable RRAS service as a temporary mitigation
sc config RemoteAccess start= disabled
sc stop RemoteAccess

# Verify service status
sc query RemoteAccess

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechWindows
  • SeverityHIGH
  • CVSS Score8.8
  • EPSS Probability0.25%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityHigh
  • AvailabilityHigh
  • CWE References
  • CWE-415
  • Vendor Resources
  • Microsoft CVE-2025-49688 Advisory
  • Related CVEs
  • CVE-2026-33826: Windows Active Directory RCE Vulnerability
  • CVE-2026-32183: Windows Snipping Tool RCE Vulnerability
  • CVE-2026-32149: Windows Hyper-V RCE Vulnerability
  • CVE-2026-31995: Openclaw Command Injection Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English