CVE-2025-24055 is a security vulnerability classified as CWE-125 (Out-of-bounds Read) found in the Windows USB Video Driver component of Microsoft Windows 10 Version 1507 (build 10.0.10240.0). This vulnerability arises when the driver improperly handles memory boundaries during USB video device interactions, allowing an attacker with authorized access and physical proximity to the device to read memory outside the intended buffer. This out-of-bounds read can lead to disclosure of sensitive information residing in adjacent memory areas, potentially exposing confidential data. The attack vector requires physical access to the machine and low-level privileges but does not require user interaction, making it a local attack with limited scope. The vulnerability does not affect system integrity or availability, focusing solely on confidentiality. The CVSS v3.1 base score is 4.3, indicating medium severity, with attack vector marked as physical (AV:P), low attack complexity (AC:L), and privileges required as low (PR:L). No patches or known exploits have been reported yet, but the vulnerability is publicly disclosed and documented by Microsoft. Since Windows 10 Version 1507 is an early release version, it is largely outdated and unsupported, meaning many systems should have been upgraded, but legacy or isolated systems may still be vulnerable. The vulnerability highlights the importance of maintaining updated drivers and operating systems, as well as enforcing physical security to prevent unauthorized access to devices.

The primary impact of CVE-2025-24055 is unauthorized disclosure of sensitive information due to an out-of-bounds read in the USB Video Driver. For European organizations, this could lead to leakage of confidential data if attackers gain physical access to vulnerable machines. The impact is limited to confidentiality, with no direct effect on system integrity or availability. Organizations with legacy Windows 10 Version 1507 systems, especially in environments where physical security is less stringent (e.g., public kiosks, shared workstations, or remote offices), are at higher risk. The vulnerability could be exploited to gather information useful for further attacks or espionage. However, the requirement for physical access and low privileges reduces the likelihood of widespread exploitation. European sectors with high-value intellectual property or sensitive personal data, such as finance, healthcare, and government, should be particularly cautious. The medium severity rating reflects these factors, indicating a moderate but non-critical risk.

1. Upgrade all Windows 10 Version 1507 systems to the latest supported Windows 10 or Windows 11 versions to ensure the USB Video Driver and other components are patched against this and similar vulnerabilities. 2. Implement strict physical security controls to prevent unauthorized physical access to devices, including secure office environments, locked server rooms, and controlled access to endpoints. 3. Disable or restrict USB video devices on systems where they are not required, using group policies or device management tools to reduce the attack surface. 4. Monitor and audit physical access logs and endpoint device usage to detect any unauthorized attempts to access or connect USB video devices. 5. Employ endpoint detection and response (EDR) solutions to identify unusual device interactions or memory access patterns that could indicate exploitation attempts. 6. Educate staff about the risks of physical device access and enforce policies that prohibit unauthorized hardware connections. 7. For legacy systems that cannot be upgraded immediately, consider network segmentation and isolation to limit exposure and potential data leakage.