CVE-2025-26667 is a vulnerability identified in Microsoft Windows Server 2019, specifically affecting the Routing and Remote Access Service (RRAS). This vulnerability is classified under CWE-200, which pertains to the exposure of sensitive information to unauthorized actors. The flaw allows an attacker to disclose sensitive information over the network without requiring any privileges or authentication, though user interaction is necessary to trigger the information disclosure. The CVSS v3.1 base score for this vulnerability is 6.5, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), but requires user interaction (UI:R). The scope is unchanged (S:U), and the impact is high on confidentiality (C:H), with no impact on integrity or availability (I:N, A:N). This means that an attacker can potentially intercept or access sensitive data transmitted or handled by RRAS, which could include routing configurations, network topology information, or other sensitive network data. However, the vulnerability does not allow modification or disruption of services. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in February 2025 and published in April 2025, indicating it is a recent discovery. RRAS is a critical component in Windows Server environments for managing VPNs, dial-up connections, and routing protocols, making this vulnerability relevant for organizations relying on these services for remote access and network management.

For European organizations, the exposure of sensitive information through RRAS on Windows Server 2019 can have significant repercussions. Many enterprises, government agencies, and critical infrastructure providers in Europe utilize Windows Server 2019 for their network services, including VPN and remote access solutions. The unauthorized disclosure of sensitive network configuration or routing information could facilitate further targeted attacks, such as network reconnaissance, lateral movement, or exploitation of other vulnerabilities. This is particularly concerning for sectors with stringent data protection requirements under GDPR, as leakage of sensitive information could lead to compliance violations and reputational damage. Additionally, organizations involved in critical infrastructure, finance, healthcare, and government operations could face increased risk if attackers leverage disclosed information to plan more sophisticated attacks. Although the vulnerability does not directly allow service disruption or data modification, the confidentiality breach alone can undermine network security posture and trust.

Given the absence of an official patch at the time of this report, European organizations should implement several specific mitigations: 1) Restrict RRAS exposure by limiting network access to RRAS services using network segmentation and firewall rules, allowing only trusted IP addresses and VPN clients to connect. 2) Monitor RRAS logs and network traffic for unusual or unauthorized access attempts that could indicate exploitation attempts. 3) Employ network-level encryption and secure authentication mechanisms for remote access to reduce the risk of data interception. 4) Disable RRAS services if not required or consider alternative VPN and routing solutions with a stronger security track record. 5) Prepare for rapid deployment of patches once released by Microsoft by maintaining an up-to-date asset inventory and patch management process. 6) Conduct regular security assessments and penetration testing focused on RRAS and remote access infrastructure to identify and remediate potential weaknesses. 7) Educate users about the risks of interacting with unsolicited network prompts or connections that could trigger the vulnerability.