CVE-2025-26664 is a medium-severity vulnerability identified in Microsoft Windows Server 2019, specifically affecting version 10.0.17763.0. The vulnerability arises from a buffer over-read condition within the Windows Routing and Remote Access Service (RRAS). A buffer over-read occurs when a program reads more data than it should from a buffer, potentially exposing sensitive information stored in adjacent memory. In this case, an unauthorized attacker can exploit this flaw remotely over the network without requiring any privileges (PR:N) but does require user interaction (UI:R), such as convincing a user to initiate a connection or interaction that triggers the vulnerability. The attack vector is network-based (AV:N), and the vulnerability does not require authentication, increasing its risk profile. The impact is primarily on confidentiality (C:H), allowing attackers to disclose sensitive information, but it does not affect integrity or availability. The scope remains unchanged (S:U), meaning the vulnerability affects only the vulnerable component and does not propagate to other system components. The vulnerability is rated with a CVSS 3.1 base score of 6.5, reflecting a medium severity level. Currently, there are no known exploits in the wild, and no official patches have been linked or released yet. The vulnerability is categorized under CWE-126, which is a common weakness related to buffer over-read errors. Given the affected component, RRAS, which is used for routing and remote access services, this vulnerability could be exploited in environments where RRAS is enabled and exposed to untrusted networks, potentially leaking sensitive routing or network configuration data to attackers.

For European organizations, the impact of CVE-2025-26664 can be significant, especially for enterprises and service providers relying on Windows Server 2019 with RRAS enabled for VPNs, remote access, or routing services. The unauthorized disclosure of sensitive information could lead to exposure of network topology, routing tables, or other confidential data that could facilitate further targeted attacks or reconnaissance by threat actors. This is particularly critical for sectors such as finance, government, telecommunications, and critical infrastructure where confidentiality of network configurations is paramount. Although the vulnerability does not allow direct system compromise or denial of service, the information disclosure could be leveraged in multi-stage attacks. The requirement for user interaction somewhat limits the attack surface but does not eliminate risk, especially in environments with remote users or partners connecting to RRAS services. The absence of known exploits in the wild provides a window for proactive mitigation, but organizations should act promptly to reduce exposure.

European organizations should take the following specific steps to mitigate the risk posed by CVE-2025-26664: 1) Immediately audit and identify all Windows Server 2019 instances running RRAS, especially those exposed to untrusted networks or the internet. 2) Disable RRAS services on servers where it is not strictly required to reduce the attack surface. 3) For servers requiring RRAS, implement strict network segmentation and firewall rules to limit access only to trusted users and networks. 4) Educate users about the risks of interacting with unsolicited or suspicious network prompts that could trigger the vulnerability. 5) Monitor network traffic and logs for unusual RRAS activity or attempts to exploit this vulnerability. 6) Stay updated with Microsoft security advisories and apply patches or workarounds as soon as they become available. 7) Consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures targeting RRAS anomalies. 8) Review and enforce strong authentication and access controls for remote access services to minimize the risk of exploitation via user interaction.