# Titles: Windows RRAS Remote Code Execution Vulnerability (CVE-2026-26111) - SE-RCE Exploit # Author: nu11secur1ty # Date: 19.03.2026 # Vendor: Microsoft # Software: Windows RRAS (Routing and Remote Access Service) # Reference: https://www.cve.org/CVERecord?id=CVE-2026-26111 ## Description: A critical remote code execution vulnerability exists in the Microsoft Windows Routing and Remote Access Service (RRAS). The vulnerability is caused by an integer overflow (CWE-190) leading to a heap-based buffer overflow (CWE-122) when parsing specially crafted RPC responses. An authenticated domain user connecting to a malicious RRAS server can trigger this vulnerability, allowing the attacker to execute arbitrary code on the target system with high privileges. The CVSS score is 8.8 (HIGH) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. STATUS: CRITICAL - PATCHED BY MICROSOFT (KB5084597) [+]Payload: The payload consists of XOR-obfuscated shellcode (key 0xAA) embedded in a malformed RPC response with a length field set to 0xFFFFFFFF. This triggers the integer overflow and allows the shellcode to execute on the target system. The shellcode performs system information enumeration and exfiltrates data back to the attacker on port 4445. Example payload structure: - RPC Header (0x05 0x00 0x0b 0x03 0x10) - Integer Overflow Trigger (0xFFFFFFFF) - XOR-obfuscated shellcode (generated with msfvenom) - NOP sled (0x90 padding) # Reproduce: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2026/CVE-2026-26111) # Demo: [href](https://www.patreon.com/posts/windows-rras-cve-153417054) # Time spent: 02:45:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>