Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-58717

CVE-2025-58717: Windows 10 1507 Information Disclosure

CVE-2025-58717 is an information disclosure vulnerability in Windows 10 1507 Routing and Remote Access Service that allows unauthorized attackers to read sensitive data over a network. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-58717 Overview

CVE-2025-58717 is an out-of-bounds read vulnerability in the Windows Routing and Remote Access Service (RRAS). An unauthorized remote attacker can trigger the flaw over a network to disclose portions of process memory. Exploitation requires user interaction, which limits the practical attack scenarios but does not eliminate risk in environments where administrators or users can be lured into initiating a connection to an attacker-controlled endpoint.

The vulnerability affects a broad range of Windows client and server versions, including Windows 10, Windows 11, and Windows Server releases from 2008 through 2025. Microsoft addressed the issue through its Security Update Guide.

Critical Impact

Successful exploitation leaks confidential information from RRAS process memory over the network, which attackers can use to support further intrusion activity.

Affected Products

  • Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
  • Microsoft Windows 11 (versions 22H2, 23H2, 24H2, 25H2)
  • Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, 2022 23H2, and 2025

Discovery Timeline

  • 2025-10-14 - CVE-2025-58717 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-58717

Vulnerability Analysis

CVE-2025-58717 is classified under [CWE-125] Out-of-bounds Read. The flaw exists in the Windows Routing and Remote Access Service (RRAS), a component that provides routing, VPN, and dial-up connectivity services on Windows clients and servers. When RRAS processes a specially crafted network response, it reads memory beyond the intended buffer boundary and returns that data over the network.

The attack targets confidentiality only. Integrity and availability of the target system are not directly affected. Attackers commonly chain information disclosure primitives with other vulnerabilities to bypass memory protections such as Address Space Layout Randomization (ASLR).

EPSS data places the current exploitation probability at 0.881%, reflecting limited but non-zero interest from the offensive research community.

Root Cause

The vulnerability stems from missing or insufficient bounds checking in an RRAS packet or response parser. When the affected code path processes a malformed or truncated structure, it reads past the allocated buffer, exposing adjacent memory contents through subsequent network output.

Attack Vector

Exploitation occurs over the network and requires user interaction. A typical scenario involves convincing a user to initiate an RRAS-based connection (for example, a VPN or dial-up connection) to a malicious server. The attacker's server returns crafted responses that trigger the out-of-bounds read, and the resulting leaked bytes are transmitted back to the attacker.

No authenticated session or elevated privileges are required on the target. No verified public proof-of-concept is available at this time, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-58717

Indicators of Compromise

  • Unexpected outbound RRAS or VPN connection attempts to untrusted IP addresses or domains
  • Anomalous rasman.exe, svchost.exe hosting RemoteAccess, or related RRAS process network activity following user-initiated connection actions
  • Crash or exception events referencing RRAS modules in the Windows Event Log

Detection Strategies

  • Monitor for connections from Windows hosts to previously unseen VPN or dial-up endpoints, especially those matching URL patterns delivered through phishing.
  • Correlate user actions (opening .pbk phonebook files, clicking VPN connection links) with subsequent RRAS process behavior.
  • Inspect network telemetry for RRAS protocol responses containing anomalous field lengths or malformed structures.

Monitoring Recommendations

  • Enable and forward Windows RRAS event logs and Sysmon network connection events to a centralized analytics platform.
  • Baseline expected RRAS peer endpoints in enterprise environments and alert on deviations.
  • Track patch deployment status for the October 2025 Microsoft security update across all Windows and Windows Server assets.

How to Mitigate CVE-2025-58717

Immediate Actions Required

  • Apply the Microsoft security update referenced in the Microsoft Security Update Guide for CVE-2025-58717 to all affected Windows and Windows Server systems.
  • Prioritize patching on systems where users routinely initiate VPN or dial-up connections.
  • Restrict user permissions to install or modify VPN and phonebook (.pbk) configurations from untrusted sources.

Patch Information

Microsoft published the fix through the Security Update Guide. Refer to the Microsoft Security Update Guide for the specific KB article and cumulative update applicable to each affected build.

Workarounds

  • Disable the Routing and Remote Access service on systems that do not require VPN or dial-up functionality.
  • Block outbound connections to untrusted VPN endpoints at the network perimeter using egress filtering.
  • Educate users to avoid initiating VPN connections from links or configuration files received via email or messaging.
bash
# Disable the Routing and Remote Access service where not required (PowerShell)
Stop-Service -Name RemoteAccess -Force
Set-Service -Name RemoteAccess -StartupType Disabled

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.