CVE-2025-24055 is a medium-severity vulnerability identified as an out-of-bounds read (CWE-125) in the Windows USB Video Driver component of Microsoft Windows 10 Version 1809 (build 10.0.17763.0). This vulnerability allows an authorized attacker with physical access to the affected system to read memory beyond the intended buffer boundaries. Specifically, the flaw exists in the USB Video Driver, which handles video input devices connected via USB. An out-of-bounds read can lead to the disclosure of sensitive information residing in adjacent memory areas, potentially exposing confidential data. The attack requires the attacker to have local privileges (PR:L) and physical access (AV:P), but does not require user interaction (UI:N). The vulnerability does not impact system integrity or availability but compromises confidentiality with a high impact on confidentiality (C:H), no impact on integrity (I:N), and no impact on availability (A:N). The CVSS v3.1 base score is 4.3, reflecting a medium severity level. There are no known exploits in the wild as of the publication date (March 11, 2025), and no patches have been linked yet. The vulnerability was reserved on January 16, 2025, and publicly disclosed in March 2025. Given the requirement for physical access and authorized privileges, exploitation scenarios are limited to attackers with direct access to targeted devices, such as insider threats or attackers with temporary physical access to devices in sensitive environments. The vulnerability affects only Windows 10 Version 1809, which is an older version of Windows 10, limiting the scope of affected systems to those not updated to newer versions or unsupported systems still in operation.

For European organizations, the impact of CVE-2025-24055 is primarily related to confidentiality breaches in environments where Windows 10 Version 1809 is still in use. Organizations with legacy systems or specialized equipment that cannot be upgraded easily may be vulnerable to information disclosure if an attacker gains physical access. This could be particularly concerning in sectors handling sensitive personal data (e.g., healthcare, finance, government) where data privacy regulations such as GDPR impose strict requirements on data protection. Although the vulnerability does not allow remote exploitation or system compromise, the risk of insider threats or physical theft leading to data leakage remains. The limited attack vector reduces the overall risk but does not eliminate it, especially in high-security environments where physical device security might be compromised. The lack of known exploits in the wild reduces immediate risk but organizations should remain vigilant. The vulnerability could also be leveraged as part of a multi-stage attack where physical access is combined with other techniques to escalate privileges or exfiltrate data.

To mitigate CVE-2025-24055, European organizations should prioritize the following actions: 1) Upgrade affected systems from Windows 10 Version 1809 to a supported and updated Windows version where this vulnerability is patched or does not exist. 2) Enforce strict physical security controls to prevent unauthorized physical access to devices, including secure storage, access logging, and surveillance in sensitive areas. 3) Limit user privileges to the minimum necessary to reduce the risk of authorized attackers exploiting the vulnerability. 4) Monitor and audit USB device usage and connections to detect anomalous or unauthorized devices that could be used to trigger the vulnerability. 5) Implement endpoint detection and response (EDR) solutions that can identify suspicious activity related to USB device drivers or memory access anomalies. 6) Educate employees and administrators about the risks of physical access attacks and the importance of device security. 7) If patching is not immediately possible, consider disabling or restricting USB video devices where feasible to reduce the attack surface. These measures go beyond generic advice by focusing on physical security, privilege management, and device control tailored to the specific nature of this vulnerability.