CVE-2025-21190 is a heap-based buffer overflow vulnerability classified under CWE-122, found in the Windows Telephony Service component of Microsoft Windows 10 Version 1507 (build 10.0.10240.0). The flaw allows remote attackers to trigger a buffer overflow condition by sending specially crafted requests to the Telephony Service, which handles telephony-related operations on the system. This overflow can corrupt memory on the heap, enabling attackers to execute arbitrary code in the context of the vulnerable service. The vulnerability does not require any privileges (PR:N) but does require user interaction (UI:R), such as the user initiating or accepting a telephony-related operation. The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component and does not extend beyond the affected system. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability (all rated high). No patches or exploit code are currently publicly available, but the vulnerability is considered critical due to the potential for remote code execution without privileges. The affected Windows 10 version is an early release (1507), which is largely out of mainstream support, increasing the risk for legacy systems still in operation. The vulnerability was reserved in December 2024 and published in February 2025, indicating recent discovery and disclosure.

If exploited, this vulnerability allows remote attackers to execute arbitrary code on affected Windows 10 Version 1507 systems without requiring user privileges, potentially leading to full system compromise. This includes unauthorized access to sensitive data, modification or deletion of critical files, installation of persistent malware, and disruption of system availability. Organizations relying on legacy Windows 10 installations, especially those using telephony services or exposing such services to untrusted networks, face significant risk. The requirement for user interaction somewhat limits automated exploitation but does not eliminate risk in environments where users may be tricked into initiating vulnerable operations. The lack of patches increases exposure duration, and attackers could develop exploits once details become widely known. This could impact enterprise environments, government agencies, and critical infrastructure sectors that have not upgraded from early Windows 10 versions.

1. Immediately restrict or disable the Windows Telephony Service on systems running Windows 10 Version 1507 if it is not essential. 2. Implement network-level controls such as firewall rules to block inbound traffic to telephony-related ports and services from untrusted sources. 3. Educate users to avoid interacting with unexpected telephony prompts or calls that could trigger the vulnerability. 4. Monitor network and endpoint logs for unusual telephony service activity or crashes that may indicate exploitation attempts. 5. Plan and execute an upgrade strategy to move affected systems off Windows 10 Version 1507 to supported and patched Windows versions. 6. Apply any security updates Microsoft releases addressing this vulnerability as soon as they become available. 7. Employ endpoint detection and response (EDR) solutions to detect anomalous behavior related to memory corruption or remote code execution attempts targeting telephony services.