CVE-2025-62473 Overview
CVE-2025-62473 is an information disclosure vulnerability in the Microsoft Windows Routing and Remote Access Service (RRAS). The flaw is a buffer over-read [CWE-126] that allows an unauthenticated attacker to read memory contents beyond the intended buffer boundary. Successful exploitation discloses information over a network connection to the vulnerable RRAS component. The issue affects a wide range of Windows client and Windows Server releases, including Windows Server 2008 through Windows Server 2025 and Windows 10 through Windows 11 25H2. Exploitation requires user interaction, which limits automated mass exploitation but does not eliminate risk in targeted scenarios.
Critical Impact
An unauthenticated network attacker can read sensitive process memory from RRAS-enabled Windows hosts, potentially leaking credentials, cryptographic material, or configuration data.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (23H2, 24H2, 25H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2025-12-09 - CVE-2025-62473 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-62473
Vulnerability Analysis
RRAS provides routing, VPN, and dial-up services on Windows and processes protocol messages received over the network. CVE-2025-62473 is classified as a buffer over-read, mapped to [CWE-126]. The service reads past the end of an allocated buffer when parsing attacker-supplied input, returning adjacent memory contents in a response or error path. The disclosed memory may contain authentication tokens, protocol state, pointers useful for bypassing address space layout randomization (ASLR), or fragments of other client sessions. The vulnerability impacts confidentiality only, with no direct effect on integrity or availability.
Root Cause
The root cause is missing or incorrect bounds validation when the RRAS parser reads structured input fields. A length or offset value provided by the attacker is trusted without verification against the actual allocation size. When the code copies or serializes bytes based on that untrusted length, it reads memory beyond the intended structure and includes those bytes in the response.
Attack Vector
The attack is executed remotely over the network against a host running the RRAS role. Exploitation requires user interaction, meaning an administrator or client-side action must trigger the vulnerable code path, for example by connecting to a malicious server or accepting a crafted response. No authentication or elevated privileges are needed on the target. Attackers typically chain the leaked memory contents with subsequent exploits to defeat mitigations or harvest credentials.
No verified public proof-of-concept code is currently available for CVE-2025-62473. Refer to the Microsoft CVE-2025-62473 Advisory for the authoritative technical description.
Detection Methods for CVE-2025-62473
Indicators of Compromise
- Unexpected inbound connections to RRAS listening ports on Windows Server hosts, particularly from untrusted networks.
- Abnormal or malformed RRAS protocol messages logged by network sensors or the RRAS service itself.
- Spikes in RRAS response traffic volume that could indicate memory being exfiltrated through repeated over-read triggers.
Detection Strategies
- Inspect network traffic to and from RRAS endpoints for oversized length or offset fields that deviate from protocol specifications.
- Correlate Windows Event Log entries from the RemoteAccess and Rasman sources with unusual client interaction patterns.
- Hunt for process memory access anomalies in the svchost.exe instance hosting RRAS, especially unexplained crashes or repeated exception handlers firing.
Monitoring Recommendations
- Enable network flow logging on perimeter and internal segments where RRAS is exposed and alert on unauthenticated connections from outside expected ranges.
- Baseline RRAS traffic patterns and generate alerts on statistical deviations in packet size or request cadence.
- Forward RRAS and Windows Security event logs to a centralized analytics platform for retention and correlation.
How to Mitigate CVE-2025-62473
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft CVE-2025-62473 Advisory to all affected Windows client and server systems.
- Inventory hosts with the Routing and Remote Access role enabled and prioritize internet-exposed systems for patching.
- Restrict inbound access to RRAS services using host and network firewalls until updates are validated in production.
Patch Information
Microsoft has released security updates addressing CVE-2025-62473 across all supported Windows versions listed in the advisory. Administrators should deploy the December 2025 cumulative updates for their platform and reboot affected systems. Consult the Microsoft CVE-2025-62473 Advisory for the exact KB numbers per Windows build.
Workarounds
- Disable the Routing and Remote Access service on hosts that do not require VPN, dial-up, or routing functionality.
- Enforce network-level authentication and IPsec on remote access endpoints to limit which clients can reach the vulnerable code path.
- Place RRAS servers behind VPN concentrators or firewalls that restrict access to trusted management networks only.
# Disable RRAS on Windows Server if not required
sc.exe config RemoteAccess start= disabled
sc.exe stop RemoteAccess
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

