Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-25172

CVE-2026-25172: Windows RRAS RCE Vulnerability

CVE-2026-25172 is a remote code execution flaw in Windows Routing and Remote Access Service caused by an integer overflow. Attackers can exploit this to execute code remotely. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-25172 Overview

CVE-2026-25172 is an integer overflow or wraparound vulnerability in the Windows Routing and Remote Access Service (RRAS) that allows an unauthorized attacker to execute arbitrary code over a network. This vulnerability stems from CWE-122 (Heap-based Buffer Overflow), where improper integer handling leads to memory corruption conditions that can be exploited for remote code execution.

The Windows Routing and Remote Access Service is a critical networking component used extensively in enterprise environments for VPN connections, network address translation (NAT), and routing services. The network-based attack vector combined with no required privileges makes this vulnerability particularly dangerous for organizations running exposed RRAS services.

Critical Impact

Successful exploitation allows unauthorized attackers to execute arbitrary code remotely on affected Windows systems running RRAS, potentially leading to complete system compromise without authentication.

Affected Products

  • Windows Routing and Remote Access Service (RRAS)
  • Windows Server systems with RRAS role enabled
  • Windows systems configured for remote access services

Discovery Timeline

  • 2026-03-10 - CVE-2026-25172 published to NVD
  • 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2026-25172

Vulnerability Analysis

This vulnerability is classified as an integer overflow or wraparound condition that leads to heap-based buffer overflow (CWE-122). Integer overflow vulnerabilities occur when arithmetic operations produce values that exceed the maximum representable value for a given integer type, causing the value to "wrap around" to a much smaller or negative number.

In the context of RRAS, this integer overflow likely occurs during buffer size calculations when processing network packets or routing data. When an attacker sends specially crafted network traffic, the integer overflow causes an undersized buffer allocation. Subsequent data copy operations then write beyond the allocated buffer boundaries, corrupting adjacent heap memory structures.

The attack requires user interaction, suggesting the vulnerability may be triggered through malicious network traffic that requires some form of user action or connection initiation. However, once triggered, the attacker requires no privileges on the target system to achieve code execution.

Root Cause

The root cause is improper validation of integer values before they are used in memory allocation calculations within the RRAS service. When processing certain network data structures, the service performs arithmetic operations on user-controlled or externally-supplied values without adequately checking for overflow conditions. This allows an attacker to manipulate calculations to produce small buffer allocations that are subsequently overflowed with larger data payloads.

The heap-based nature of this overflow (CWE-122) indicates that dynamically allocated memory on the heap is the target, which can enable sophisticated exploitation techniques including arbitrary write primitives and control flow hijacking.

Attack Vector

The attack is conducted over the network against systems running the Windows Routing and Remote Access Service. An attacker can exploit this vulnerability by:

  1. Identifying a target system with RRAS enabled and accessible over the network
  2. Crafting malicious network packets containing values designed to trigger integer overflow during size calculations
  3. Sending the malicious traffic to the RRAS service endpoint
  4. The overflow condition causes a heap-based buffer overflow, corrupting memory structures
  5. Through careful heap manipulation, the attacker can achieve arbitrary code execution in the context of the RRAS service

The vulnerability requires user interaction according to the vulnerability metrics, which may involve the victim system initiating or accepting a connection that triggers the vulnerable code path. For detailed technical information, refer to the Microsoft CVE-2026-25172 Advisory.

Detection Methods for CVE-2026-25172

Indicators of Compromise

  • Anomalous network traffic patterns targeting RRAS service ports
  • RRAS service crashes or unexpected restarts indicating exploitation attempts
  • Unusual process behavior spawned from svchost.exe hosting the RRAS service
  • Memory corruption artifacts in Windows Event logs related to Remote Access services

Detection Strategies

  • Monitor for unusual network connections to RRAS service ports from external sources
  • Implement network intrusion detection rules to identify malformed RRAS protocol traffic
  • Configure Windows Defender Exploit Guard to detect heap corruption attempts
  • Enable crash dump collection for RRAS service to capture exploitation artifacts

Monitoring Recommendations

  • Enable verbose logging for Remote Access and Routing services
  • Monitor Windows Event Log for RRAS service errors and unexpected terminations
  • Implement network traffic analysis for connections to VPN and routing endpoints
  • Deploy endpoint detection solutions to monitor for post-exploitation activity following RRAS compromise

How to Mitigate CVE-2026-25172

Immediate Actions Required

  • Apply the latest Microsoft security updates addressing CVE-2026-25172 immediately
  • Review network exposure of systems running RRAS and restrict access where possible
  • Consider disabling RRAS on systems where it is not required for business operations
  • Implement network segmentation to limit exposure of RRAS-enabled servers

Patch Information

Microsoft has released security updates to address this vulnerability. System administrators should apply the relevant patches through Windows Update, Windows Server Update Services (WSUS), or the Microsoft Update Catalog. For complete patch details and affected product versions, consult the Microsoft CVE-2026-25172 Advisory.

Workarounds

  • Disable the Routing and Remote Access Service on systems where it is not essential
  • Implement firewall rules to restrict RRAS access to trusted network segments only
  • Use VPN alternatives that do not rely on RRAS if disabling the service is feasible
  • Enable Windows Firewall rules to block external access to RRAS service ports
bash
# Disable RRAS service if not required
sc config RemoteAccess start= disabled
sc stop RemoteAccess

# Verify RRAS service status
sc query RemoteAccess

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne