CVE-2025-58717 Overview
CVE-2025-58717 is an out-of-bounds read vulnerability in the Windows Routing and Remote Access Service (RRAS). An unauthorized remote attacker can trigger the flaw over a network to disclose portions of process memory. Exploitation requires user interaction, which limits the practical attack scenarios but does not eliminate risk in environments where administrators or users can be lured into initiating a connection to an attacker-controlled endpoint.
The vulnerability affects a broad range of Windows client and server versions, including Windows 10, Windows 11, and Windows Server releases from 2008 through 2025. Microsoft addressed the issue through its Security Update Guide.
Critical Impact
Successful exploitation leaks confidential information from RRAS process memory over the network, which attackers can use to support further intrusion activity.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 22H2, 23H2, 24H2, 25H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2025-10-14 - CVE-2025-58717 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-58717
Vulnerability Analysis
CVE-2025-58717 is classified under [CWE-125] Out-of-bounds Read. The flaw exists in the Windows Routing and Remote Access Service (RRAS), a component that provides routing, VPN, and dial-up connectivity services on Windows clients and servers. When RRAS processes a specially crafted network response, it reads memory beyond the intended buffer boundary and returns that data over the network.
The attack targets confidentiality only. Integrity and availability of the target system are not directly affected. Attackers commonly chain information disclosure primitives with other vulnerabilities to bypass memory protections such as Address Space Layout Randomization (ASLR).
EPSS data places the current exploitation probability at 0.881%, reflecting limited but non-zero interest from the offensive research community.
Root Cause
The vulnerability stems from missing or insufficient bounds checking in an RRAS packet or response parser. When the affected code path processes a malformed or truncated structure, it reads past the allocated buffer, exposing adjacent memory contents through subsequent network output.
Attack Vector
Exploitation occurs over the network and requires user interaction. A typical scenario involves convincing a user to initiate an RRAS-based connection (for example, a VPN or dial-up connection) to a malicious server. The attacker's server returns crafted responses that trigger the out-of-bounds read, and the resulting leaked bytes are transmitted back to the attacker.
No authenticated session or elevated privileges are required on the target. No verified public proof-of-concept is available at this time, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-58717
Indicators of Compromise
- Unexpected outbound RRAS or VPN connection attempts to untrusted IP addresses or domains
- Anomalous rasman.exe, svchost.exe hosting RemoteAccess, or related RRAS process network activity following user-initiated connection actions
- Crash or exception events referencing RRAS modules in the Windows Event Log
Detection Strategies
- Monitor for connections from Windows hosts to previously unseen VPN or dial-up endpoints, especially those matching URL patterns delivered through phishing.
- Correlate user actions (opening .pbk phonebook files, clicking VPN connection links) with subsequent RRAS process behavior.
- Inspect network telemetry for RRAS protocol responses containing anomalous field lengths or malformed structures.
Monitoring Recommendations
- Enable and forward Windows RRAS event logs and Sysmon network connection events to a centralized analytics platform.
- Baseline expected RRAS peer endpoints in enterprise environments and alert on deviations.
- Track patch deployment status for the October 2025 Microsoft security update across all Windows and Windows Server assets.
How to Mitigate CVE-2025-58717
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft Security Update Guide for CVE-2025-58717 to all affected Windows and Windows Server systems.
- Prioritize patching on systems where users routinely initiate VPN or dial-up connections.
- Restrict user permissions to install or modify VPN and phonebook (.pbk) configurations from untrusted sources.
Patch Information
Microsoft published the fix through the Security Update Guide. Refer to the Microsoft Security Update Guide for the specific KB article and cumulative update applicable to each affected build.
Workarounds
- Disable the Routing and Remote Access service on systems that do not require VPN or dial-up functionality.
- Block outbound connections to untrusted VPN endpoints at the network perimeter using egress filtering.
- Educate users to avoid initiating VPN connections from links or configuration files received via email or messaging.
# Disable the Routing and Remote Access service where not required (PowerShell)
Stop-Service -Name RemoteAccess -Force
Set-Service -Name RemoteAccess -StartupType Disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

