CVE-2025-64678: Windows 10 1607 Buffer Overflow Flaw

CVE-2025-64678 Overview

CVE-2025-64678 is a heap-based buffer overflow in the Windows Routing and Remote Access Service (RRAS). The flaw allows an unauthenticated remote attacker to execute arbitrary code on affected systems over the network. Microsoft published the vulnerability on December 9, 2025, and assigned a CVSS 3.1 score of 8.8 with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The weakness is classified under [CWE-122] (Heap-based Buffer Overflow). Successful exploitation requires user interaction, but no prior authentication or elevated privileges. The vulnerability affects a broad range of Windows client and server versions, including legacy and current builds where RRAS is available.

Critical Impact

Unauthenticated attackers can achieve remote code execution against any Windows host running RRAS, with full impact to confidentiality, integrity, and availability.

Affected Products

• Microsoft Windows 10 (1607, 1809, 21H2, 22H2) and Windows 11 (23H2, 24H2, 25H2)
• Microsoft Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2
• Microsoft Windows Server 2025

Discovery Timeline

• 2025-12-09 - CVE-2025-64678 published to NVD
• 2025-12-10 - Last updated in NVD database

Technical Details for CVE-2025-64678

Vulnerability Analysis

The Routing and Remote Access Service (RRAS) provides routing, VPN, and dial-up connectivity functions on Windows clients and servers. CVE-2025-64678 is a heap-based buffer overflow [CWE-122] in this component. An attacker who can deliver a crafted network message to a host running RRAS can corrupt heap memory and redirect execution flow. The CVSS vector indicates the issue is reachable over the network without authentication, but requires user interaction to trigger. According to the CVSS scope, exploitation results in full compromise of confidentiality, integrity, and availability on the affected host. The EPSS probability of 0.037% reflects no observed exploitation activity at the time of publication, but the unauthenticated network attack surface makes this a high-priority patching target.

Root Cause

The vulnerability stems from improper bounds checking when RRAS processes attacker-controlled input. Writing past the allocated heap buffer corrupts adjacent heap metadata or function pointers. This memory corruption primitive can be shaped into arbitrary code execution within the RRAS service context.

Attack Vector

Exploitation occurs over the network against a Windows host running RRAS. The attacker sends a malformed request to the service, and a user must perform an action that causes the host to process the malicious payload. Hosts that expose RRAS endpoints to untrusted networks, such as VPN gateways and edge routers, are at elevated risk. Microsoft has not publicly released exploit details. Refer to the Microsoft CVE-2025-64678 Update Guide for vendor technical notes.

Detection Methods for CVE-2025-64678

Indicators of Compromise

• Unexpected crashes, restarts, or memory faults in the RemoteAccess service or svchost.exe instances hosting RRAS.
• Anomalous child processes spawned by RRAS-hosting svchost.exe, especially cmd.exe, powershell.exe, or rundll32.exe.
• Outbound network connections originating from the RRAS service process to unfamiliar destinations.
• New service installations, scheduled tasks, or registry persistence created shortly after RRAS activity.

Detection Strategies

• Monitor Windows Event Logs for service crashes (Event ID 7031, 7034) tied to RemoteAccess.
• Alert on process creation events where the parent is an RRAS-hosting svchost.exe and the child is an interpreter or LOLBin.
• Inspect network telemetry for malformed or unusually large requests to RRAS-related ports such as PPTP (TCP/1723), L2TP (UDP/1701), and SSTP (TCP/443) on RRAS endpoints.

Monitoring Recommendations

• Inventory all Windows hosts with the RRAS role enabled and confirm exposure scope of management and tunneling protocols.
• Forward Sysmon and Windows Security logs to a centralized analytics platform for correlation across service crashes and post-exploitation behavior.
• Track outbound traffic from RRAS hosts to detect command-and-control activity following exploitation.

How to Mitigate CVE-2025-64678

Immediate Actions Required

• Apply the December 2025 Microsoft security updates referenced in the Microsoft CVE-2025-64678 Update Guide to all affected Windows client and server versions.
• Identify and prioritize internet-facing or perimeter Windows systems running RRAS, including VPN gateways.
• Restrict access to RRAS service ports using host firewalls and network ACLs to trusted management networks only.

Patch Information

Microsoft has released security updates addressing CVE-2025-64678 across all supported Windows 10, Windows 11, and Windows Server versions, including Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025. Refer to the vendor advisory for the specific KB articles and cumulative update packages for each supported build.

Workarounds

• Disable the Routing and Remote Access Service on hosts that do not require routing or VPN functionality using Set-Service -Name RemoteAccess -StartupType Disabled followed by Stop-Service RemoteAccess.
• Block inbound traffic to RRAS-related ports (TCP/1723, UDP/1701, UDP/500, UDP/4500) at perimeter firewalls where the service is not required externally.
• Require client certificate authentication or place RRAS endpoints behind authenticated reverse proxies to reduce exposure to unauthenticated network traffic.