CVE-2025-21301 is a medium severity vulnerability identified in Microsoft Windows 10 Version 1809 (build 10.0.17763.0) affecting the Windows Geolocation Service. The vulnerability is classified under CWE-284, which pertains to improper access control. Specifically, this flaw allows an attacker with limited privileges (requiring low privileges but no user interaction) to access sensitive geolocation information that should be restricted. The vulnerability does not impact system integrity or availability but results in a high confidentiality impact due to unauthorized disclosure of location data. The CVSS 3.1 base score is 6.5, reflecting a network attack vector with low attack complexity and requiring privileges but no user interaction. The scope remains unchanged, meaning the vulnerability affects only the vulnerable component without impacting other system components. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability could be exploited remotely over the network, potentially by an authenticated attacker or malware running with limited privileges, to extract sensitive location information from the affected Windows 10 systems. This could lead to privacy breaches, targeted surveillance, or further reconnaissance for subsequent attacks.

For European organizations, this vulnerability poses a significant privacy risk, especially for entities handling sensitive or regulated personal data, such as those in finance, healthcare, or government sectors. Unauthorized disclosure of geolocation data can violate GDPR requirements concerning personal data protection and lead to regulatory penalties. Additionally, attackers could leverage location information to profile users, conduct targeted phishing campaigns, or facilitate physical security threats. Organizations relying on Windows 10 Version 1809 in operational environments may face increased risk of data leakage. Although the vulnerability does not allow system compromise or denial of service, the confidentiality breach alone can undermine trust and compliance efforts. The impact is more pronounced in sectors with strict data privacy mandates and where geolocation data is critical to operational security.

Given the absence of an official patch, European organizations should implement several targeted mitigations: 1) Restrict access to the Windows Geolocation Service by applying strict access control policies and limiting privileges to only trusted users and processes. 2) Employ application whitelisting and endpoint protection solutions to prevent unauthorized code execution with privileges that could exploit this vulnerability. 3) Monitor and audit access logs related to geolocation services to detect unusual or unauthorized access patterns. 4) Where feasible, disable the Windows Geolocation Service on systems that do not require location functionality, particularly on sensitive or high-risk endpoints. 5) Ensure that all Windows 10 systems are upgraded to later supported versions beyond 1809, as these are more likely to receive security updates addressing this issue. 6) Educate users and administrators about the risks of privilege escalation and the importance of maintaining least privilege principles. 7) Prepare incident response plans to handle potential data disclosure events involving location data.