Microsoft’s security telemetry and independent trackers confirm that CVE-2026-25173 is a newly published remote code execution (RCE) vulnerability in the Windows Routing and Remote Access Service (RRAS) caused by an integer overflow or wraparound; the entry was added to vendor and national databases on March 10, 2026, with a CVSS v3.1 base score of 8.0 (High). (nvd.nist.gov) (cvefeed.io)
Routing and Remote Access Service (RRAS) is the Windows role that implements VPN termination, NAT, and various routing services for on-premises Windows Server deployments. RRAS often lives on enterprise VPN gateways, edge routers, and multi‑function servers that bridge internal networks with Internet-facing clients. Historically, RRAS has been the subject of multiple serious memory‑corruption and information‑disclosure bugs; the community regularly treats RRAS defects as high‑priority patches because an exploitable flaw on an Internet‑reachable RRAS host can be leveraged to bypass pg servers that are frequently highly privileged.
RRAS code paths parse and manipulate complex network protocol messages (PPP, L2TP/IPsec, SSTP, and ancillary control messages). This parsing is a recurrent source of integer overflows, heap overflows, and out‑of‑bounds reads in the RRAS code family — root causes that can escalate from remote malformed input to arbitrary code execution when combined with heap layout and control‑flow conditions. CVE-2026-25173 is reported as an integer overflow or wraparound that leads to RCE, and Microsoft is listed as the CNA (assigner) for the CVE entry. (nvd.nist.gov)
What makes this CVE high‑impact:
Administrators should immediately:
Pre‑exploit detection (network + protocol anomalies):
Source: MSRC Security Update Guide - Microsoft Security Response Center
Background
Routing and Remote Access Service (RRAS) is the Windows role that implements VPN termination, NAT, and various routing services for on-premises Windows Server deployments. RRAS often lives on enterprise VPN gateways, edge routers, and multi‑function servers that bridge internal networks with Internet-facing clients. Historically, RRAS has been the subject of multiple serious memory‑corruption and information‑disclosure bugs; the community regularly treats RRAS defects as high‑priority patches because an exploitable flaw on an Internet‑reachable RRAS host can be leveraged to bypass pg servers that are frequently highly privileged.RRAS code paths parse and manipulate complex network protocol messages (PPP, L2TP/IPsec, SSTP, and ancillary control messages). This parsing is a recurrent source of integer overflows, heap overflows, and out‑of‑bounds reads in the RRAS code family — root causes that can escalate from remote malformed input to arbitrary code execution when combined with heap layout and control‑flow conditions. CVE-2026-25173 is reported as an integer overflow or wraparound that leads to RCE, and Microsoft is listed as the CNA (assigner) for the CVE entry. (nvd.nist.gov)
What we know right now (verified facts)
- The vulnerability is tracked as CVE-2026-25173 and affects the Windows Routing and Remote Access Service (RRAS). (cvedetails.com)
- The public vendor-sourced description states an integer overflow or wraparound in RRAS that allows an authorized attacker to execute code over a network. (cvefeed.io)
- The CVSS v3.1 vector published by Microsoft maps to AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H with a base score of 8.0 (High) — indicating network attack vector, low complexity, some privileges required (low), and user interaction required. (nvd.nist.gov)
- Public vulnerability trackers and aggregator pages that mirror vendor data list the CVE as published on March 10, 2026 and mark the vulnerability as remotely exploitable. (cvefeed.io)
- Major Patch Tuesday summaries and independent security outlets catalog this issue among March 2026 updates, and Microsoft’s security database entry is referenced as the canonical advisory. (zerodayinitiative.com)
Why this matters: Impact and attack scenario
An integer overflow or wraparound commonly occurs when arithmetic on integer types exceeds the datatype’s maximum (or drops below the minimum) and wraps, producing smaller values used to allocate or index memory. In network protocol parsing, this can lead to under‑allocation, missing bounds checks, or miscomputed copy lengths — all classic stepping stones to memory corruption and eventual code execution.What makes this CVE high‑impact:
- RRAS is commonly exposed on perimeter systems (VPN servers and gateways). An exploitable RCE on such hosts can give adversaries foothold inside protected networks.
- The published CVSS indicates low attack complexity but *low while user interaction is required, the network vector and potential for full confidentiality, integrity, and availability impact make it a high operational priority. (nvd.nist.gov)
- Prior RRAS vulnerabilities have been weaponized or used in targeted intrusions; the historical pattern means defenders must behave as if active exploitation is plausible until proven otherwise.
- Attacker authenticates with credentials acceptable to RRAS (the advisory states a privileged actor model: “authorized attacker”).
- Attacker crafts and sends specially formed RRAS protocol messages that trigger the integer wrap/overflow during parsing.
- The overflow leads to memory corruption that an adversary converts into execution control (RCE) in the RRAS process context.
- From a compromised RRAS host, an attacker escalates persistence and moves laterally into the environment.
Affected systems and patch status (operational guidance)
Aggregators and the NVD reflect Microsoft as the origin for the CVE and list its metadata; multiple security trackers place the disclosure inside Microsoft’s March 10, 2026 security updates. At the time of writing, vendor guidance (the Microsoft Security Update Guide entry) is the authoritative place to map affected Windows versions to the specific KBs and update packages needed to remediate each platform. (nvd.nist.gov)Administrators should immediately:
- Inventory systems that have the RemoteAccess/RRAS role enabled. This includes Windows Server instances used as VPN gateways or NAT/routing appliances.
- Check the Microsoft Security Update Guide mapping for CVE-2026-25173 to find the precise KBs for each Windows Server buiates via your standard deployment pipeline (WSUS, SCCM, Intune, or vendor-managed update tools). The official vendor advisory is the authoritative mapping point. (nvd.nist.gov)
- If patching cannot be completed immediately, isolate RRAS hosts from untrusted networks and block inbound RRAS‑related ports at the perimeter until updates are applied. Past RRAS incidents required perimeter hardening as a stopgap while updates were staged.
- Verify whether RRAS service (RemoteAccess) is installed and running on each server: check service name RemoteAccess and role installation on Windows Server.
- Search patch management reports for the March 2026 updates mapped to RRAS and confirm successful installation (Get-HotFix and Windows Update logs).
- For any exposed RRAS gateway, block external access at the firewall or place the host behind a VPN‑only control plane (deny direct Internet inbound to the RRAS endpoints until patched).
- Use least‑privilege for authentication to RRAS (do not use accounts with unnecessary domain privileges for remote authentication).
Detection and hunting: What defenders should monitor
Because the CVE description is compact (integer overflow → RCE), defenders should apply layered detection strategies focused on both pre‑exploit and post‑exploit indicators.Pre‑exploit detection (network + protocol anomalies):
- Monitor for unusual/sudden surges in RRAS traffic or malformed PPP/L2TP/SSTP/EAP frames to RRAS endpoints. Look for repeated handshake failures or odd field lengths in PPP/LCP exchanges.
- Create IDS/IPS signatures that flag RRAS message sizes or length fields that exceed expected ranges or that show anomalous wraparound values.
- Log and alert on abnormal authentication patterns to VPN gateways — repeated attempts, unusual usernames, logins from new IPs.
- Watch for unexpected child processes spawned by the RRAS process (commonly the RemoteAccess service or its worker processes). Any creation of cmd.exe, powershell.exe, or scheduled tasks by RemoteAccess should be high‑priority.
- EDR telemetry: track new persistence artifacts on RRAS hosts (new service registrations, autoruns, scheduled tasks, or abnormal use of credential stores).
- Hunt for lateral movement originating from RRAS hosts: abnormal SMB connections, RDP sessions, or authenticated connections to domain controllers.
- EDR/Windows Event logs: hunt for Event ID patterns indicating RemoteAccess service instability, crashes, or unexpected restarts near times of suspicious VPN activity.
- Network logs: filter for RRAS-related ports and protocols, and alert on flows where payload lengths mismatch expected protocol headers or when sessions have unusual payload patterns.
- If you suspect exploitation, preserve memory and full disk images of the RRAS host before rebooting. Collect EDR traces, in‑memory artifacts, network captures, and Windows event logs. RRAS exploits that leverage memory corruption often leave volatile artifacts best captured from runtime memory.
Risk analysis: Strengths, caveats, and attacker model
Strengths of vendor disclosure and available data:- Microsoft (as CNA) has published the CVE metadata and a vendor advisory entry exists, which allows defenders to map fixed KBs and apply vendor‑tested patches. The NVD entry corroborates Microsoft’s description and CVSS assignment, which provides a stable basis for prioritization. (nvd.nist.gov)
- Multiple independent trackers (security aggregators and Patch Tuesday reviewers) catalog the CVE and place it inside the March 2026 update set, giving administrators multiple confirmation points for scheduling remediation. (zerodayinitiative.com)
- The vendor description in public feeds is compact; Microsoft’s MSRC advisory is authoritative for build‑level impact and KB mapping but is dynamically rendered and may require manual lookup. Aggregator descriptions sometimes expand the impact (e.g., listing affected Windows builds) before the vendor KB mapping is fully published; those expansions should be treated as provisional until the MSRC KB mapping appears. (cvefeed.io)
- The CVSS vector indicates that user interaction is required. That lowers some remote unauthenticated zero‑click risk, but it does not eliminate operational urgency because many enterprise workflows cause the necessary user interaction (VPN logins, roaming client connections, or client‑initiated tunnel establishment). Practical exploitation may be feasible at scale on gateways with frequent legitimate connection attempts.
- The “authorized attacker” phrasing means adversaries likely need credentials that the RRAS instance accepts (domain accounts, VPN credentials, or machine certificates). However, credential theft and reuse are commonplace in real attacks; once valid credentials are available (phished or reused), the attack path becomes short.
- Exploit reliability will depend on the exact memory layout and ASLR/CFG/DEP mitigations present on the target builds. That said, the CVSS score (8.0) and historical RRAS exploitability suggest that exploit development is realistic for skilled attackers who can combine the overflow with heap shaping, return‑oriented programming, or other memory‑corruption techniques.
Short‑term mitigations and long‑term hardening
Short term (apply immediately if you cannot patch right away):- Block inbound RRAS traffic from untrusted networks at the firewall. If RRAS is used for remote work, require further gating (e.g., a secondary VPN or jump host) to reach the RRAS endpoint.
- Disable unused RRAS features and protocols. If only SSTP or L2TP is required, remove PPTP and obsolete protocols that expand parsing surface area.
- Enforce multi‑factor authentication (MFA) for RRAS/VPN logins where possible to limit the risk from credential theft.
- Move away from Internet‑exposed Windows Server RRAS gateways when feasible; use modern, dedicated VPN appliances or cloud VPN services with explicit vulnerability management SLAs.
- Segment VPN termination hosts in a restricted DMZ that prevents immediate access to domain controllers or sensitive infrastructure in the event of compromise.
- Maintain a regular patch cadence and validate automatic update workflows, plus incorporate RRAS and other edge components into prioritized patch windows.
Detection playbook — step‑by‑step (recommended sequence)
- Inventory: Identify every server with the RemoteAccess role; produce a prioritized list of Internet‑reachable instances.
- Patch mapping: Use Microsoft’s Security Update Guide to find the KBs for all affected OS builds and schedule immediate deployment for internet‑exposed systems. (nvd.nist.gov)
- Firewall hardening: Block RRAS‑related inbound ports from untrusted networks until patches are in place.
- Deploy hunting queries: Run EDR/IDS rules focused on malformed RRAS message lengths, RemoteAccess process anomalies, and unusual post‑auth behavior.
- For suspect hosts: Collect memory and network captures, preserve logs, and perform forensic analysis to check for exploitation indicators before remediation reboots.
- Post‑remediation validation: CiN client workflows, and monitor for any recurrence.
Why RRAS keeps appearing in advisories (context from the field)
The RRAS component is complex and ancient in Windows’ lifecycle; it contains protocol parsers for legacy and modern remote‑access protocols. That combination of protocol complexity, large input surface, and long maintenance tail makes it a repeat offender for memory‑safety bugs. In community threads and admin forums, RRAS vulnerabilities repeatedly appear as urgent patch events because many organizations run RRAS as a legacy gateway function and lack ready replacements — a practical reality that keeps the impact of RRAS CVEs high for enterprise defenders.Final assessment: Prioritization and recommended posture
- Priority: Treat any RRAS‑related patch that fixes an RCE as Critical/High for internet‑exposed hosts. For CVE-2026-25173 specifically, apply the vendor‑mapped updates on the March 2026 cycle immediately for any RRAS servers that are reachable from untrusted networks. (nvd.nist.gov)
- Risk tolerance: Organizations that operate RRAS gateways should assume a moderate to high probability of the vulnerability being weaponizable against exposed hosts — especially after public disclosure — and act accordingly with patching and isolation.
- Communication: Notify network teams, VPN administrators, and incident response teams that RRAS hosts must be inventoried, patched, and monitored. If you operate managed services, confirm KB mapping and rollouts with your vendor or service provider.
What we still need to confirm (open items)
- Exact OS builds and KB article numbers mapped to CVE-2026-25173 for every supported Windows Server and Windows client version. Microsoft’s advisory contains that mapping; use it to plan deployments. (nvd.nist.gov)
- Any public proof‑of‑concept code or active exploitation campaigns beyond the vendor advisory. As of publication, there is no authoritative confirmation of active exploitation, but historical RRAS defects have seen rapid weaponization; defenders should assume exploitation risk until telemetry proves otherwise. (cvefeed.io)
Closing recommendations for administrators
- Immediately inventory all RemoteAccess/RRAS-enabled systems.
- Map Microsoft’s advy vendor updates per your change control — prioritize Internet‑facing RRAS hosts.
- If you must delay patching, isolate RRAS hosts at the network perimeter, enforce MFA, and deploy targeted detections (IDS signatures and EDR rules).
- Prepare incident readiness: collect forensic capabilities and ensure memory/image capture workflows exist for rapid response if exploitation is suspected.
Source: MSRC Security Update Guide - Microsoft Security Response Center
