CVE-2025-55700: RRAS Information Disclosure via Out-of-Bounds Read (Windows Server)

Microsoft has published an advisory for CVE-2025-55700: an out‑of‑bounds read in the Windows Routing and Remote Access Service (RRAS) that can allow a remote actor to elicit unintended memory contents from an affected system, resulting in network‑accessible information disclosure; administrators should treat internet‑facing and DMZ RRAS hosts as high priority for inventory, hardening, and patching.

Background / Overview​

Routing and Remote Access Service (RRAS) is a long‑standing Windows Server role used for VPN termination (PPTP, L2TP/IPsec, SSTP), NAT, routing and site‑to‑site tunnels. Because RRAS processes attacker-controlled network input and typically runs with elevated privileges, memory‑safety defects in RRAS are especially consequential: leaked memory can include session tokens, ephemeral handshake material, route tables, or credential fragments that materially accelerate follow‑on compromise. The CVE-2025-55700 advisory sits within a broader set of RRAS vulnerabilities disclosed during 2025 that share similar root causes — out‑of‑bounds reads and use‑of‑uninitialized resources — and have been repeatedly flagged for expedited remediation.
Key points at a glance:

• Vulnerability: Out‑of‑bounds read (CWE‑125 / use of uninitialized resource) in RRAS.
• Impact: Information disclosure — an attacker may receive bytes from process memory that were not intended for remote consumption.
• Attack vector: Network — crafted RRAS protocol packets or malformed negotiation messages directed at exposed RRAS endpoints.
• Urgency: High for internet‑facing RRAS hosts (VPN gateways, DMZ concentrators), moderate for strictly internal hosts depending on exposure and segmentation.

Corroborating vendor and independent trackers show a CVSS v3.1 base score of 6.5 (Medium) for this CVE, with the vector string indicating network attackability and an information‑disclosure confidentiality impact. Independent CVE aggregators and feeds list CVE‑2025‑55700 with matching descriptors — but administrators must always reconcile the CVE entry to the exact Microsoft KB(s) for their OS build before applying updates.

---

Technical analysis​

What the bug is (plain English)​

At root, CVE‑2025‑55700 is a buffer over‑read: code in RRAS reads data beyond the boundaries of an allocated buffer or returns a buffer that was not properly initialized. When that memory is sent back to a remote caller during a protocol negotiation or packet parsing flow, residual process memory (heap or stack remnants) can leak to the network. Those leaked bytes can include sensitive runtime artifacts — tokens, session fragments, or topology/configuration data — which are highly useful to attackers performing reconnaissance or chaining attacks.

Affected components and exposure​

• Affected component: Routing and Remote Access Service (RemoteAccess role/service) when installed and running on Windows Server systems.
• Typical protocol endpoints RRAS handles (and that should be considered at risk):
• PPTP: TCP 1723 and GRE (IP protocol 47)
• L2TP/IPsec: UDP 1701 (plus IKE UDP 500/4500)
• SSTP: TCP 443 (HTTPS‑based VPN)
• IKE/IPsec control flows: UDP 500 and UDP 4500
  Any RRAS listener bound to these ports and reachable by untrusted networks is a priority for mitigation.

Attack model and attacker capabilities​

• Reachability is the core precondition. If an attacker can reach an RRAS endpoint (internet, partner network, or compromised internal host), they can attempt to craft protocol messages to trigger the vulnerable read path.
• Authentication requirements vary by variant. Microsoft and community write‑ups for the 2025 RRAS cluster show both unauthenticated and authenticated variants across different CVEs in the family; MSRC wording sometimes uses “authorized attacker” for specific entries, which may indicate attacker interaction requirements during protocol negotiation for that variant. Do not assume an “authorized” qualifier meaningfully reduces urgency.
• What an attacker can gain. Even small memory fragments can contain:
• session tokens or handshake fragments usable for offline attacks,
• cached credentials or password material,
• routing/topology metadata that aids network mapping,
• or pointers and layout details that lower the cost of exploiting other memory‑corruption issues.

Exploitability and public evidence​

• As of the advisory publication, public trackers report no confirmed in‑the‑wild exploitation or widely circulating working PoC for CVE‑2025‑55700; however, historically RRAS CVEs were quickly scanned and targeted after disclosure. Administrators should assume opportunistic scanning and reconnaissance begin rapidly once a vendor advisory posts.
• Scoring and behavioral notes: some feeds show CVSS 3.1 = 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N), indicating network attack vector and high confidentiality impact, with user interaction required per that vector string in some interpretations. Confirm the definitive vector string from MSRC when mapping to local risk models.

---

Operational impact — why this matters to enterprises​

Information‑disclosure bugs are often underrated because they don't immediately execute code. In the RRAS context this is misleading: RRAS typically runs as SYSTEM, handles VPN authentication flows and session state, and sits at the network edge. A small leak of sensitive runtime data can materially reduce the time and effort an attacker needs to escalate, move laterally, or craft a separate exploit. Past RRAS advisories in 2025 emphasized that leaked memory can be a force multiplier for intrusions, and incident responders ranked RRAS patching among the top priorities in multiple advisory waves.
Adversary workflows that benefit from RRAS info leaks:

• Harvesting session tokens or challenge/response fragments for offline cracking or session replay.
• Mapping remote networks and routing to identify high‑value internal targets.
• Using leak-derived memory layout to help exploit additional memory safety flaws for RCE.

---

Immediate remediation checklist (first 24–72 hours)​

Follow this prioritized set of actions. Patch mapping and inventory are top priorities.

• Inventory RRAS presence (minutes)
• Run on suspected servers:
• Get‑Service -Name RemoteAccess
• Get‑WindowsFeature -Name RemoteAccess,Routing
• Flag any hosts where the RemoteAccess service is installed and running.
• Prioritize internet‑facing RRAS hosts (hours)
• Identify RRAS hosts with public IPs, NAT/port‑forwarding entries, or DMZ placement; treat these as highest urgency for mitigation.
• Apply vendor updates (hours)
• Use Microsoft’s Security Update Guide entry for CVE‑2025‑55700 to identify the exact KB(s) for each Windows Server SKU and build, then deploy via WSUS/SCCM/Intune or the Microsoft Update Catalog. Do not rely on third‑party feeds for KB mapping without cross‑checking MSRC.
• If you cannot patch immediately — reduce exposure (short term)
• Restrict access to RRAS ports at the perimeter (block or whitelist by source IP) — TCP 1723, UDP 1701, UDP 500/4500, TCP 443, GRE where applicable.
• Consider stopping the RemoteAccess service temporarily if possible:
• Stop‑Service -Name RemoteAccess -Force
• Set‑Service -Name RemoteAccess -StartupType Disabled
  (Coordinate with connectivity owners — this disrupts VPN users and site‑to‑site tunnels.)
• Harden authentication and reduce the value of leaked material
• Enforce MFA for VPN logins.
• Prefer certificate‑based client authentication.
• Disable legacy protocols (PPTP) where possible.
• Increase monitoring and retention
• Forward RRAS logs (Applications and Services Logs → Microsoft → Windows → RemoteAccess, RasMan) to your SIEM; increase retention for packet captures of suspected probing windows. Hunt for malformed or repeated negotiation sequences targeting RRAS ports.

---

Detection and forensic guidance​

• Network telemetry: look for spikes in traffic to RRAS ports or repeated malformed packets from the same external IPs; flag unusual negotiation sequences or unexpected binary blobs in responses.
• Host logs: examine RemoteAccess and RasMan event channels for frequent negotiation failures or anomalous connection attempts; correlate with VPN authentication logs for suspicious activity.
• Packet captures: when you suspect probing, capture traffic to RRAS endpoints and inspect replies for unexpected payloads or data that appears to be heap fragments (binary noise, strings that do not match protocol expectations).
• Forensics: if you suspect exploitation, preserve a memory dump of the RRAS process (RemoteAccess) and full PCAPs from the relevant window; these artifacts are useful to determine whether leaked memory contained sensitive artifacts.

---

Patch‑management pitfalls and verification​

Several public and community trackers from 2025 noted inconsistent CVE→KB mappings for related RRAS advisories; this has been a recurring operational hazard. The Microsoft Security Response Center is the single authoritative mapping for CVE‑to‑KB and OS build applicability — always confirm the KB numbers listed on the MSRC page and cross‑check the Microsoft Update Catalog entry for the exact build before mass deployment. Failure to map correctly can leave systems unpatched despite applying updates.
If an MSRC advisory page renders via JavaScript in your automation, view it in a full browser session and note the KB number(s) — do not rely solely on third‑party mirroring sites for the final mapping.

---

Risk assessment — strengths and remaining concerns​

Strengths

• Microsoft published an update and public advisory for CVE‑2025‑55700, enabling vendors and administrators to deploy fixes. Independent trackers reflect the same classification (out‑of‑bounds read / information disclosure), and multiple vulnerability databases have normalized the CVSS scoring and vector.
• Standard mitigations (network segmentation, firewalling, disabling unused services) are effective short‑term controls for RRAS exposure and can be rapidly applied.

Risks and open questions

• Information disclosure is deceptively powerful. Even a few leaked bytes can be operationally critical in the right context; organizations with RRAS integrated into identity flows or with certificate‑based VPNs should assume elevated impact.
• PoC / exploitation status. At publication, public PoC and reliable reports of active exploitation for CVE‑2025‑55700 were not confirmed; this may change. If working exploits appear, automated scanning and attacks against unpatched RRAS hosts can scale quickly. Treat this as a live risk and monitor threat feeds.
• CVE/KP patch mapping errors. Third‑party feeds sometimes display neighboring RRAS CVEs in aggregated reporting; verifying MSRC/KD mapping is essential to avoid misapplied updates.

Caveat: Where a specific technical detail (for example, the exact bytes leaked in a live attack or a published exploit chain) is not included in vendor advisories or publicly available PoCs, that detail cannot be independently verified. Such gaps should be treated cautiously and investigated in your environment with proper forensics if suspicious activity is detected.

---

Recommended long‑term hardening (post‑patch)​

• Enforce strict perimeter rules for remote access services; restrict RRAS endpoints to known client IPs or partner ranges when possible.
• Move away from legacy VPN protocols (PPTP) and prefer modern, certificate‑based authentication with MFA.
• Regularly inventory server roles and disable RRAS on hosts that do not require it.
• Implement robust EDR coverage and SIEM correlation rules for RRAS protocol anomalies and service restarts.
• Maintain a CVE‑to‑KB mapping playbook: require verification of MSRC advisories and Update Catalog entries before sign‑off on patch deployments.

---

Playbook: prioritized checklist (copyable)​

• Inventory: run Get‑Service -Name RemoteAccess and Get‑WindowsFeature -Name RemoteAccess,Routing across servers.
• Map CVE to KB: confirm MSRC entry for CVE‑2025‑55700 and locate the exact KB(s) for each Windows Server SKU in your estate.
• Patch internet‑facing RRAS hosts immediately, test internally, then roll out to internal hosts.
• If patching is delayed: restrict RRAS ports at the perimeter (TCP 1723, UDP 1701, UDP 500/4500, TCP 443, GRE) and consider stopping the RemoteAccess service.
• Increase monitoring: forward RemoteAccess/RasMan logs to SIEM and capture packets for suspicious activity.
• After patch: rotate secrets where reasonable (service account credentials tied to VPN flows), enforce MFA, and validate connectivity for legitimate VPN users.

---

Conclusion​

CVE‑2025‑55700 is an information‑disclosure vulnerability in Windows RRAS rooted in an out‑of‑bounds read that can leak process memory to remote requesters. While it is not an RCE by itself, the operational risk is significant because leaked data can accelerate credential theft, session hijacking, and subsequent exploitation chains — especially when RRAS runs on internet‑exposed VPN gateways. The single most important actions are: inventory RRAS presence, confirm the MSRC CVE→KB mapping for your OS builds, and apply the vendor updates to internet‑facing RRAS hosts as an immediate priority. If immediate patching is impossible, reduce exposure via firewall rules and service disablement and increase logging and packet capture retention for hunting and forensics.
(Note: this briefing synthesized Microsoft’s advisory entries, independent CVE trackers, and community operational guidance; where public PoC/exploitation details were absent, those gaps are noted and should be investigated via your organization’s telemetry and incident response procedures.)

---

Source: MSRC Security Update Guide - Microsoft Security Response Center