CVE-2025-24055 is a security vulnerability classified as CWE-125 (Out-of-bounds Read) found in the Windows USB Video Driver component of Microsoft Windows 10 Version 1809 (build 10.0.17763.0). This vulnerability allows an attacker with authorized access and physical proximity to the affected system to read memory outside the intended buffer boundaries. Such out-of-bounds reads can lead to disclosure of sensitive information residing in adjacent memory areas, potentially exposing confidential data. The vulnerability requires low privileges (PR:L) but no user interaction (UI:N), and the attack vector is physical (AV:P), meaning the attacker must have physical access to the device, such as connecting a malicious USB device or manipulating existing USB video hardware. The scope is unchanged (S:U), and the impact is high on confidentiality (C:H) but none on integrity (I:N) or availability (A:N). The CVSS v3.1 base score is 4.3, indicating medium severity. No known exploits have been reported in the wild, and no official patches have been released at the time of publication. The vulnerability was reserved in January 2025 and published in March 2025. Given the nature of the vulnerability, it primarily threatens environments where physical security is insufficient and legacy Windows 10 1809 systems remain in use, especially those utilizing USB video devices such as webcams or video capture hardware.

For European organizations, the impact of CVE-2025-24055 is primarily the potential unauthorized disclosure of sensitive information due to out-of-bounds memory reads. This could include exposure of confidential data processed or stored in memory buffers related to USB video devices. The requirement for physical access limits the attacker's ability to exploit this vulnerability remotely, reducing the risk for organizations with strong physical security controls. However, sectors with high-value targets such as government, defense, finance, and critical infrastructure could face significant risks if attackers gain physical access to devices running Windows 10 Version 1809. Legacy systems that have not been updated or replaced remain vulnerable, potentially exposing sensitive operational or personal data. The lack of impact on integrity and availability means the vulnerability does not allow system compromise or denial of service but still poses a confidentiality risk. The absence of known exploits reduces immediate threat levels but does not eliminate future exploitation possibilities. Organizations relying on USB video devices in sensitive environments should consider this vulnerability seriously, especially where physical device access cannot be fully controlled.

1. Upgrade or patch: Although no official patch is currently available, organizations should prioritize upgrading from Windows 10 Version 1809 to a supported and patched Windows version to eliminate this vulnerability. 2. Physical security: Strengthen physical access controls to prevent unauthorized individuals from connecting or manipulating USB devices on critical systems. 3. USB device control: Implement strict USB device management policies, including disabling unused USB ports, using endpoint security solutions to whitelist authorized USB devices, and monitoring USB device activity for anomalies. 4. Network segmentation: Isolate legacy systems with USB video devices in segmented network zones to limit exposure if physical access is compromised. 5. Incident response readiness: Prepare to detect and respond to suspicious activities involving USB devices, including memory forensics and monitoring for unusual data access patterns. 6. User awareness: Educate users and administrators about the risks of physical device tampering and encourage reporting of lost or suspicious hardware. 7. Inventory management: Maintain an accurate inventory of systems running Windows 10 Version 1809 and USB video hardware to identify and prioritize remediation efforts.