Executive SummaryMicrosoft has released a security update addressing a new heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS), tracked as CVE-2025-54113. The flaw could allow remote code execution (RCE) if exploited, and administrators are strongly urged to patch affected Windows Server systems immediately.
- Released: September 9, 2025 (Patch Tuesday)
- Impact: Remote Code Execution
- Severity: Important (CVSS 8.8)
- Weakness: CWE-122: Heap-based Buffer Overflow
- Exploitation: Not publicly disclosed, not exploited in the wild, exploitation rated "Unlikely"
Affected Products
This vulnerability affects multiple supported Windows Server versions, including:
- Windows Server 2008 SP2 / R2 SP1 (x64, 32-bit, Server Core)
- Windows Server 2012 / 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022 (standard, 23H2, Server Core)
- Windows Server 2025
Recommended Actions
- Patch Immediately: Apply the September 2025 cumulative security updates or standalone security-only updates as applicable.
- Mitigate if Patch Delayed:
- Disable or firewall RRAS services exposed to untrusted networks.
- Stop the RemoteAccess service if RRAS is not required.
- Detection Guidance:
- Monitor Windows Event Logs (
RemoteAccess,RasMan) for abnormal service behavior. - Use SIEM/EDR hunts for RRAS crashes, anomalous process launches, or unexpected network activity on VPN/RRAS ports (SSTP, L2TP, PPTP).
- Deploy IDS rules to flag malformed RRAS protocol traffic.
This update is part of a wider set of RRAS heap-based RCE vulnerabilities patched in 2025. Even if exploitation is rated unlikely today, history shows that unpatched RRAS systems exposed to the internet become high-value targets. Administrators should treat this patch with urgency and verify update deployment across all affected server versions.
Last edited by a moderator:
