CVE-2025-21201 is a remote code execution vulnerability identified in the Windows Telephony Server component of Microsoft Windows 10 Version 1809 (build 10.0.17763.0). The root cause is a double free error (CWE-415), where the system attempts to free the same memory location twice, leading to memory corruption. This flaw can be exploited remotely over the network without requiring prior authentication, although user interaction is necessary to trigger the vulnerability. The exploitation could allow an attacker to execute arbitrary code in the context of the affected service, potentially leading to full system compromise. The vulnerability affects confidentiality, integrity, and availability, as arbitrary code execution can lead to data theft, system manipulation, or denial of service. The CVSS v3.1 base score is 8.8, indicating high severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No public exploits or patches have been reported at the time of publication. Organizations running Windows 10 1809 should prioritize patching once updates are released and consider mitigating exposure by limiting network access to the Telephony Server service.

For European organizations, this vulnerability poses a significant risk especially to those still operating legacy Windows 10 Version 1809 systems. Successful exploitation could lead to remote code execution, enabling attackers to gain control over affected machines, steal sensitive data, disrupt services, or move laterally within networks. Critical sectors such as telecommunications, government, finance, and healthcare could face severe operational disruptions and data breaches. The requirement for user interaction slightly reduces the risk of automated mass exploitation but does not eliminate targeted attacks. The lack of known exploits in the wild currently limits immediate impact, but the high severity score and remote attack vector necessitate urgent attention. Organizations with remote telephony services or exposed Windows 10 1809 endpoints are particularly vulnerable. Failure to address this vulnerability could result in compliance violations under GDPR due to potential data breaches.

1. Monitor Microsoft security advisories closely and apply official patches for Windows 10 Version 1809 as soon as they become available. 2. Until patches are released, restrict network access to the Telephony Server service by implementing firewall rules to limit inbound connections only to trusted hosts and networks. 3. Disable or uninstall the Telephony Server component if it is not required in the environment to reduce the attack surface. 4. Educate users about the risks of interacting with unsolicited communications that could trigger the vulnerability. 5. Employ endpoint detection and response (EDR) solutions to monitor for suspicious activity related to memory corruption or unusual Telephony Server behavior. 6. Conduct network segmentation to isolate legacy systems running Windows 10 1809 from critical infrastructure. 7. Regularly audit systems to identify and upgrade any remaining Windows 10 1809 installations to supported versions with ongoing security updates.