ngCERT SECURITY ADVISORY ON CRITICAL REMOTE CODE EXECUTION VULNERABILITIES IN WINDOWS ROUTING AND REMOTE ACCESS SERVICE (RRAS)

Advisory ID:   ngCERT-2026-040004

SUMMARY

ngCERT alerts on multiple critical Remote Code Execution (RCE) vulnerabilities in the Windows Routing and Remote Access Service (RRAS), tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111. These vulnerabilities affect enterprise Windows systems leveraging RRAS for VPN and remote access management. Successful exploitation could allow attackers to execute arbitrary code over a network, leading to full system compromise. Organisations and individuals are strongly advised to apply the Microsoft-released security updates, including out-of-band hot patches, to address these flaws.

DESCRIPTION

Windows RRAS is a Windows service that provides routing, VPN, and remote connectivity features. It is affected by multiple critical remote code execution (RCE) vulnerabilities identified as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111, arising from improper handling of network responses and memory structures. These flaws can be exploited when an authenticated attacker tricks a domain user into interacting with a malicious RRAS server or sending crafted network requests via the RRAS management interface. The vulnerabilities, particularly CVE-2026-26111, involve integer overflow conditions that lead to memory corruption and enable execution of attacker-controlled code over the network. Collectively, these issues allow low-privileged attackers to leverage legitimate RRAS operations to gain remote code execution capabilities in affected systems.

Damage:      Critical (CVSS 8.0)

Probability:  High

Platform(s):  Windows

CONSEQUENCES

Exploitation of these vulnerabilities may result in:

1. Remote Code Execution (RCE)
2. Full System Compromise.
3. Unauthorized Access.
4. Lateral Movement.
5. Service Disruption. 

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Apply Microsoft security patches immediately.
2. Restrict RRAS access to trusted networks.
3. Disable RRAS if not needed.
4. Implement network segmentation and enforce least privilege access controls.
5. Monitor for suspicious activity and configure firewall protections.
6. Use IDS/IPS solutions to detect and prevent attacks.    

HYPERLINK

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25172
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25173
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26111
• https://www.esecurityplanet.com/threats/microsoft-issues-hotpatch-for-windows-11-rras-rce-bugs/
• https://www.sentinelone.com/vulnerability-database/cve-2026-25173/