📄 Description (English)
Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network.
🤖 AI Executive Summary
CVE-2026-25173 is a high-severity integer overflow vulnerability in Windows RRAS affecting multiple Windows 10 versions. An authenticated attacker can exploit this flaw to execute arbitrary code over the network, posing significant risk to organizations relying on VPN and remote access infrastructure. Immediate patching is critical as RRAS is widely deployed in Saudi enterprises for secure remote connectivity.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 26, 2026 20:39
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability directly impacts Saudi banking sector (SAMA-regulated institutions), government agencies (NCA oversight), healthcare providers, and energy sector organizations (ARAMCO, SEC) that utilize RRAS for secure remote access and VPN connectivity. Telecom operators (STC, Mobily, Zain) managing network infrastructure are also at risk. The authentication requirement limits exposure but remains critical for insider threats and compromised account scenarios prevalent in targeted attacks against Saudi critical infrastructure.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Windows 10 systems running RRAS (versions 1607, 1809, 21H2, 22H2) across your infrastructure
2. Prioritize patching for systems exposed to untrusted networks or supporting remote access
3. Review RRAS access logs for suspicious authentication attempts or unusual traffic patterns
4. Restrict RRAS access to authorized users only via network segmentation
PATCHING GUIDANCE:
1. Apply Microsoft security updates immediately upon availability
2. Test patches in non-production environments first
3. Implement phased rollout starting with critical infrastructure
4. Verify patch installation using Windows Update verification tools
COMPENSATING CONTROLS (if patching delayed):
1. Implement network-level authentication (NLA) enforcement
2. Deploy multi-factor authentication (MFA) for all RRAS connections
3. Restrict RRAS ports (TCP 443, UDP 500, UDP 4500) at firewall level
4. Monitor RRAS service for unexpected process behavior
5. Implement IP whitelisting for VPN access
DETECTION RULES:
1. Monitor Event ID 20226 (RRAS connection attempts) for anomalies
2. Alert on RRAS service crashes or unexpected restarts
3. Track unusual RAS client connections from non-standard locations
4. Monitor for integer overflow patterns in RRAS memory access logs
5. Implement IDS signatures for RRAS protocol anomalies
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع أنظمة Windows 10 التي تقوم بتشغيل RRAS (الإصدارات 1607 و 1809 و 21H2 و 22H2) عبر البنية التحتية الخاصة بك
2. إعطاء الأولوية لتصحيح الأنظمة المكشوفة للشبكات غير الموثوقة أو التي تدعم الوصول البعيد
3. مراجعة سجلات RRAS للبحث عن محاولات مصادقة مريبة أو أنماط حركة غير عادية
4. تقييد وصول RRAS للمستخدمين المصرح لهم فقط عبر تقسيم الشبكة
إرشادات التصحيح:
1. تطبيق تحديثات أمان Microsoft فوراً عند توفرها
2. اختبار التصحيحات في بيئات غير الإنتاج أولاً
3. تنفيذ طرح متدرج بدءاً من البنية التحتية الحرجة
4. التحقق من تثبيت التصحيح باستخدام أدوات التحقق من Windows Update
الضوابط البديلة (إذا تأخر التصحيح):
1. تنفيذ فرض المصادقة على مستوى الشبكة (NLA)
2. نشر المصادقة متعددة العوامل (MFA) لجميع اتصالات RRAS
3. تقييد منافذ RRAS (TCP 443 و UDP 500 و UDP 4500) على مستوى جدار الحماية
4. مراقبة خدمة RRAS للسلوك غير المتوقع للعملية
5. تنفيذ القائمة البيضاء للعناوين IP لوصول VPN
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.14.2.1 - Secure development policy
ECC 2024 A.12.2.1 - Monitoring and logging of access
🔵 SAMA CSF
ID.RA-1 - Asset management and vulnerability identification
PR.IP-12 - System security configuration and patch management
DE.CM-8 - Vulnerability scans and assessments
🟡 ISO 27001:2022
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development and change management
A.12.2.1 - User access management and monitoring
🟣 PCI DSS v4.0.1
Requirement 6.2 - Security patches and updates
Requirement 11.2 - Vulnerability scanning
📦 Affected Products / CPE 25 entries
microsoft:windows_10_1607
microsoft:windows_10_1607
microsoft:windows_10_1809
microsoft:windows_10_1809
microsoft:windows_10_21h2
microsoft:windows_10_21h2
microsoft:windows_10_21h2
microsoft:windows_10_22h2
microsoft:windows_10_22h2
microsoft:windows_10_22h2
microsoft:windows_11_23h2
microsoft:windows_11_23h2
microsoft:windows_11_24h2
microsoft:windows_11_24h2
microsoft:windows_11_25h2
microsoft:windows_11_25h2
microsoft:windows_11_26h1
microsoft:windows_11_26h1
microsoft:windows_server_2012:-
microsoft:windows_server_2012:r2
microsoft:windows_server_2016
microsoft:windows_server_2019
microsoft:windows_server_2022
microsoft:windows_server_2022_23h2
microsoft:windows_server_2025