A remote information-disclosure vulnerability in the Windows Routing and Remote Access Service (RRAS) received an out-of-band advisory from Microsoft this week, warning that attackers can siphon sensitive memory contents from internet-facing VPN gateways. The flaw, tracked as CVE-2025-54096, scores high on urgency because RRAS often runs with SYSTEM privileges at the network edge, making any escaped data — authentication tokens, session keys, routing tables — a stepping stone to broader network compromise.
Microsoft’s Security Response Center confirmed the bug is an out-of-bounds read that can be triggered by specially crafted network traffic. An attacker who successfully exploits the vulnerability could obtain memory fragments that the service never intended to disclose. While not a remote code execution flaw, the information leak qualifies as a high-severity incident for any server that terminates VPN connections, site-to-site tunnels, or dial-up sessions.
What RRAS Does and Why It’s in the Crosshairs
RRAS is a heavyweight Windows Server role that handles remote access, site-to-site routing, Network Address Translation, and legacy dial-up services. Because it sits at the perimeter processing packets from untrusted networks, bugs in its protocol parsers give attackers a direct line to privileged system memory. The 2025 advisory cluster around RRAS underscores a pattern of uninitialized resource usage and buffer mismanagement that researchers have repeatedly flagged.
“An out-of-bounds read tends to occur when code reads memory beyond the bounds of an allocated buffer or returns an uninitialized buffer to a caller,” the Microsoft advisory notes. When that happens inside a network service, a remote actor can craft packets that force the service to echo back snippets of memory containing authentication material or internal configuration. Small leaks can have outsized consequences when they expose credential fragments or routing state.
The Technical Mechanics
CVE-2025-54096 is categorized as an information-disclosure vulnerability caused by an out-of-bounds read. Affected code handles packet processing for the protocols that RRAS supports:
- PPTP (TCP 1723, GRE 47)
- L2TP (UDP 1701, plus IKE on UDP 500/4500 for IPsec)
- SSTP (TCP 443)
- IKE/IPsec control flows
An attacker who can reach any of these ports on a vulnerable server may send malformed negotiation packets that trigger the read beyond buffer boundaries. Microsoft’s advisory describes the attacker as “authorized,” which in practical terms means the attacker must be able to engage in the early handshake of a VPN protocol. In many deployments, RRAS accepts unauthenticated initiation traffic, so any internet-exposed endpoint should be treated as a high-priority patch target.
The leaked data can include session tokens, credential hashes, or routing metadata. Because the service operates in a privileged context, even a few bytes of memory can arm an attacker with the information needed to crack credentials offline or plan lateral movement.
Affected Product Scope
RRAS is not installed by default; it’s an optional role on Windows Server. Systems that do not have the RemoteAccess service running are not exposed. However, Enterprise VPN gateways, branch-office concentrators, and cloud-based Windows images that bundle RRAS are very much in scope. Affected Windows Server releases cover Server 2016, 2019, and 2022, as well as later builds where the RRAS role is present.
Administrators must map CVE-2025-54096 to the exact KB number and update package for their specific SKU. Third-party aggregator feeds have shown inconsistent CVE identifiers or KB mappings for RRAS issues in 2025, so the Microsoft Security Update Guide entry is the authoritative reference.
Operational Risk: Why Information Disclosure Matters
Even without remote code execution, an information leak from an edge service is a severe risk:
- Privileged context: RRAS runs as SYSTEM, meaning leaked memory can contain highly sensitive secrets.
- Token and key exposure: Session keys, NTLM hashes, or certificate private key material may appear in leaked buffers.
- Stealth: Out-of-bounds reads often don’t crash the service, allowing long-term reconnaissance with minimal log noise.
- Lateral movement enabler: Routing tables and configuration details let attackers map internal networks and plan targeted intrusions.
Real-world attack workflows could begin with port scans for RRAS endpoints, followed by crafted probing packets that parse the leaked responses. Attackers can then triangulate the extracted data to pivot toward domain controllers or other high-value targets.
The vulnerability attracted immediate community scrutiny because RRAS flaws have been exploited in the wild before. 2024–2025 saw a sequence of RRAS bugs, some culminating in heap overflows and RCE. Even if this CVE is limited to information disclosure, it lowers the barrier for subsequent attacks.
Immediate Response Checklist
For any organization running RRAS, especially internet-facing instances, the recommended steps are:
- Inventory – Identify every server with the RRAS role installed. Use PowerShell:
powershell Get-Service -Name RemoteAccess Get-WindowsFeature | Where-Object { $.Name -match "RemoteAccess" -or $.Name -match "Routing" } - Patch – Obtain the security update from the Microsoft Update Catalog, WSUS, or SCCM. Apply it first to internet-facing hosts. Verify with
Get-HotFixand test VPN connectivity. - Contain if patching is delayed – Block critical ports at the perimeter: TCP 1723, GRE 47, UDP 500/4500, UDP 1701, TCP 443. If RRAS is not essential, stop and disable the service:
powershell Stop-Service -Name RemoteAccess -Force Set-Service -Name RemoteAccess -StartupType Disabled
Consider removing the role entirely if it’s not needed. - Harden – Enforce certificate-based authentication and multifactor authentication for VPN sign-ins. Apply Zero Trust principles to minimize the value of any leaked tokens.
Detection and Monitoring
Network defenders should tune detections for signs of active probing or exploitation:
- Traffic anomalies: Spike in connection attempts to RRAS ports from unfamiliar IPs, malformed negotiation packets, or repeated probe patterns.
- Host and service logs: Unexpected negotiation failures, frequent handshake restarts, or RRAS service crashes logged in the event viewer.
- EDR telemetry: Unusual child processes spawned by
svchost.exehosting RRAS, new account creations, or persistence mechanisms on the server. - Downstream hunting: Look for credential misuse, lateral movement from the RRAS host, or anomalous authentication requests to domain controllers.
Given that the information leak is silent, proactive forensic memory snapshots may be warranted on critical gateways if exploitation is suspected.
Third-Party Feed Discrepancies
Multiple RRAS CVEs surfaced in 2025, creating confusion in aggregated threat intelligence feeds. Some public summaries incorrectly attributed heap-overflow or RCE impact to CVE-2025-54096. The MSRC entry explicitly classifies this as an information-disclosure, out-of-bounds read. Administrators should not rely on third-party KB mappings unless confirmed by the Microsoft Security Update Guide.
“Flag any claim of exact CVSS scores, KB numbers, or exploit PoC availability as verifiable only after checking MSRC,” the community advisory stresses. As of the initial advisory release, no publicly available, reliable proof-of-concept exploit was observed. However, given the history of RRAS weaponization, defenders should assume that functional exploits may surface rapidly.
Long-Term Hardening Strategies
Patching alone is insufficient for a service that will remain a high-value target. Organizations should:
- Minimize attack surface: Uninstall RRAS where not needed. Use modern VPN appliances or cloud-native solutions where feasible.
- Segment networks: Isolate VPN termination points from domain controllers and management networks. Use dedicated VLANs and firewall rules.
- Enforce strong authentication: Implement smart-card or certificate-based VPN authentication, combined with conditional access policies.
- Patch discipline: Treat RRAS updates as emergency change requests for internet-facing systems. Test in staging prior to production rollout.
Risk Analysis and Trade-Offs
The urgency varies by exposure:
| Risk Level | Scenario | Recommended Action |
|---|---|---|
| High | Internet‑facing RRAS (VPN gateway, DMZ) | Patch immediately, even during business hours if possible. Block ports beforehand if patching must be delayed. |
| Medium | Internal RRAS only | Patch during next planned maintenance window. Apply strict monitoring and segment from critical systems in the meantime. |
| Low | No RRAS installed | No direct patch required. Verify inventory across all cloud instances and templates. |
Remediation Playbook Summary
# Inventory
Get-Service RemoteAccess
Get-WindowsFeature RemoteAccess,RoutingMap CVE to KB
Visit https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54096/
Patch (example via PSWindowsUpdate)
Install-WindowsUpdate -KBArticleID KBxxxxxx -AcceptAll -AutoRebootVerify
Get-HotFix -Id KBxxxxxxContain
Stop-Service RemoteAccess -Force
Set-Service RemoteAccess -StartupType Disabled
New-NetFirewallRule -DisplayName "Block RRAS Inbound" -Direction Inbound -LocalPort 1723,1701,500,4500,443 -Protocol TCP,UDP -Action Block
What Remains Unverified
- Exact KB numbers differ per Windows Server build and patch channel; always cross‑reference MSRC.
- Some third‑party feeds may conflate CVE‑2025‑54096 with other 2025 RRAS bugs that do carry RCE risk. Validate each CVE independently.
- Public exploit code availability is unconfirmed at this time, but the information‑disclosure nature means adversaries can likely develop their own probes quickly.
Conclusion
CVE-2025-54096 serves as a potent reminder that edge services like RRAS are treasure troves for memory‑scraping attackers. The vulnerability lets a remote actor read uninitialized memory from a SYSTEM‑privileged process, potentially exposing the keys to the kingdom. Immediate patching, combined with network containment and enhanced monitoring, forms the only reliable defense. Treat any exposed RRAS endpoint as actively targeted and prioritize this fix before your next change window closes.
Administrators who have not inventoried their RRAS instances in recent months should do so right now. Security through obscurity won’t work when the attack surface is advertised on every port scan.