Beyond the Perimeter: How to See Every Threat in Hybrid Networks
Get a Demo

Vulnerabilities

CVE-2026-25172

CVE-2026-25172 Explained: Remote Code Execution in Windows RRAS Triggered by Integer Overflow Conditions

CVSS Gauge
CVSS Needle
CVSS Score: 8.0

Summary

When processing manipulated network traffic, CVE-2026-25172, a high-severity remote code execution vulnerability in Windows RRAS, can cause heap memory corruption due to wraparound or integer overflow problems, potentially allowing arbitrary code execution. It impacts a number of Windows client and server versions with RRAS enabled, such as Windows Server 2012-2025 and various versions of Windows 10 and Windows 11.

In order to resolve it, Microsoft released security updates in March 2026 that included cumulative patches and the KB5084597 hotpatch for Windows 11 enterprise systems that were supported. In hotpatch-enabled environments, some of the solutions were designed to be deployed without a system reboot.

Urgent Actions Required

  • Apply Microsoft updates for CVE-2026-25172 on all affected systems
  • Install March 2026 cumulative updates or KB5084597 hotpatch where applicable
  • Disable RRAS if not required
  • Restrict RRAS access using firewall or segmentation
  • Monitor RRAS logs and network activity for anomalies

Which Systems Are Vulnerable to CVE-2026-25172?

Technical Overview

  • Vulnerability Type:
    Integer overflow/wraparound leading to heap-based memory corruption in Windows Routing and Remote Access Service (RRAS), enabling remote code execution
  • Affected Software/Versions:
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows Server 2016 (before 10.0.14393.8957)
    • Windows Server 2019 (before 10.0.17763.8511)
    • Windows Server 2022 (before 10.0.20348.4830)
    • Windows Server 2022, 23H2 Edition
    • Windows Server 2025 (before 10.0.26100.32463)
    • Windows 10 Version 1607
    • Windows 10 Version 1809
    • Windows 10 Version 21H2
    • Windows 10 Version 22H2
    • Windows 11 Version 23H2
    • Windows 11 Version 24H2
    • Windows 11 Version 25H2
    • Windows 11 Version 26H1
    • Any system with Windows Routing and Remote Access Service (RRAS) enabled
  • CVSS Vector: v3.1
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
  • Patch Availability: Yes, available
    🔃 Security Update Guide - Loading - Microsoft

How Does the CVE-2026-25172 Exploit Work?

The attack typically follows these steps:

CVE-2026-25172

What Causes CVE-2026-25172?

Vulnerability Root Cause:

This vulnerability arises from improper handling of integer values within the Windows Routing and Remote Access Service. When processing crafted network input, integer values can overflow or wraparound, resulting in incorrect memory allocation. This leads to a heap-based buffer overflow condition, allowing memory corruption that can be leveraged to execute arbitrary code over a network.

How Can You Mitigate CVE-2026-25172?

If immediate patching is delayed or not possible:

  • Disable Windows Routing and Remote Access Service if not needed.
  • Restrict access using firewalls and network segmentation.
  • Allow only trusted sources to reach RRAS.
  • Monitor RRAS traffic for abnormal or malformed requests.
  • Apply Microsoft security updates promptly.

Which Assets and Systems Are at Risk?

  • Asset Types Affected:
    • Windows operating systems with the Routing and Remote Access Service enabled
    • Windows Server environments using remote access or routing features
    • Enterprise systems exposing the Routing and Remote Access Service over a network
  • Business-Critical Systems at Risk:
    • Remote access infrastructure using the Routing and Remote Access Service
  • Exposure Level:
    • Network-accessible systems where Routing and Remote Access Service is enabled
    • Windows servers and clients configured for remote routing or access services
    • Enterprise environments where Routing and Remote Access Service is exposed to internal or external networks

Will Patching CVE-2026-25172 Cause Downtime?

Patch application impact: Moderate. Microsoft released security and hotpatch updates for CVE-2026-25172 across affected Windows systems. Some installations may require updates and system restarts depending on configuration.

Mitigation (if immediate patching is not possible): Disable RRAS if not needed. Restrict access with firewalls and segmentation. Monitor traffic for anomalies. Apply Microsoft security updates for full mitigation.

How Can You Detect CVE-2026-25172 Exploitation?

Exploitation Signatures:

Look for abnormal or crafted network traffic targeting the Windows Routing and Remote Access Service that triggers unexpected processing of integer values. Indicators may include malformed requests that cause service errors, instability, or crashes.

Indicators of Compromise (IOCs/IOAs):

  • Unexpected crashes or restarts of the Windows Routing and Remote Access Service
  • Errors in Windows Event Logs related to Remote Access services
  • Unusual or malformed network traffic directed at the Routing and Remote Access Service
  • Signs of memory corruption or abnormal service behavior after network requests

Behavioral Indicators:

  • Service failures occurring during the processing of network input
  • Unexpected system behavior linked to Routing and Remote Access Service execution
  • Evidence of heap memory corruption affecting service stability
  • Abnormal activity originating from Remote Access service components

Alerting Strategy:

  • Priority: High
  • Trigger alerts for:
    • Malformed or unusual network traffic targeting the Routing and Remote Access Service
    • Repeated failures or crashes of the Routing and Remote Access Service
    • Suspicious activity observed in Remote Access service logs or processes

Remediation & Response

  • Remediation Timeline:
    • Apply Microsoft security updates addressing CVE-2026-25172 across affected Windows systems.
    • Deploy cumulative updates and Windows 11 hotpatch update (KB5084597) where applicable for enterprise environments.
    • Verify that all systems running Windows Routing and Remote Access Service are updated.
  • Rollback Plan:
    If issues occur after updating, revert to the previous stable Windows update state using standard system rollback procedures.
  • Incident Response Considerations:
    • Isolate systems where Windows Routing and Remote Access Service is enabled if suspicious activity is detected.
    • Review Windows Event Logs and Routing and Remote Access Service logs for errors or abnormal activity.
    • Investigate systems showing service crashes, unexpected behavior, or signs of memory corruption linked to the Routing and Remote Access Service.
    • Monitor network traffic targeting the Routing and Remote Access Service for malformed or unusual requests after remediation.

Compliance & Governance Notes

  • Audit Trail Requirement:
    • Record deployment of Microsoft security updates addressing CVE-2026-25172
    • Document installation of cumulative updates and Windows 11 hotpatch (KB5084597, where applicable)
    • Maintain Windows Event Logs and Routing and Remote Access Service logs related to security activity
    • Track update status across affected Windows systems
  • Policy Alignment:
    • Maintain vulnerability management processes for applying Microsoft security updates
    • Ensure systems running Windows Routing and Remote Access Service are included in asset monitoring
    • Enforce network access restrictions for the Routing and Remote Access Service
    • Maintain logging and monitoring for the Routing and Remote Access Service activity

CVSS Breakdown Table

MetricValue Description
Base Score8.0High severity vulnerability affecting Windows Routing and Remote Access Service
Attack VectorNetwork Exploitable remotely over a network via crafted traffic
Attack ComplexityLowExploitation does not require special conditions
Privileges RequiredLowSome sources indicate that low privileges, or authorized access may be required
User Interaction RequiredSome scenarios require user action, such as interacting with a malicious server
Scope Unchanged Impact remains within the vulnerable Windows Routing and Remote Access Service context
Confidentiality Impact HighExploitation can lead to the exposure of sensitive system information through code execution
Integrity Impact HighAttacker can execute arbitrary code and alter system behavior
Availability ImpactHighSuccessful exploitation can disrupt services through system compromise or instability

References:

  1. NVD – CVE-2026-25172
  2. CVE Record: CVE-2026-25172

Vulnerability Overview 

CVE ID: CVE-2026-25172

CVE Title: Windows Routing and Remote Access Service (RRAS) Remote Code Execution via Integer Overflow

Severity: High

CVSS Score: 8.0

Exploit Status: No known public exploit / No confirmed widespread exploitation

Business Risk: Attackers may be able to execute code on RRAS systems by remote exploitation of this vulnerability, which could result in complete system compromise, service interruption, and potential lateral movement in business networks.

CVE Traking Guide

How to Track Key Vulnerabilities and Exposures (CVEs) in the Modern Threat Landscape

Download the Guide

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.

Get a Demo