CVE-2025-29830 is a vulnerability classified under CWE-908 (Use of Uninitialized Resource) found in Microsoft Windows 10 Version 1507 (build 10.0.10240.0). The flaw exists within the Routing and Remote Access Service (RRAS), a component that provides routing and VPN services. The vulnerability arises because RRAS uses a resource that is not properly initialized before use, which can lead to the disclosure of sensitive information over a network. An attacker without any privileges can exploit this vulnerability remotely, but user interaction is required, such as convincing a user to connect to a malicious network or service. The CVSS v3.1 score is 6.5 (medium), reflecting the network attack vector, low attack complexity, no privileges required, but requiring user interaction. The impact is primarily confidentiality loss, with no effect on integrity or availability. No patches or exploits are currently reported, but the vulnerability is publicly disclosed and could be targeted in the future. Since Windows 10 Version 1507 is an early release version, it is largely out of support, increasing the risk for systems that have not been upgraded. RRAS is often used in enterprise environments for VPN and routing, so affected systems could expose sensitive routing or network configuration data if exploited.

For European organizations, the primary impact is the potential unauthorized disclosure of sensitive network information, which could facilitate further attacks such as network reconnaissance or targeted intrusions. Organizations relying on legacy Windows 10 Version 1507 systems with RRAS enabled are at risk, especially if these systems are exposed to untrusted networks or users. This vulnerability could compromise confidentiality of internal network topology or routing data, potentially aiding attackers in lateral movement or data exfiltration. Critical infrastructure sectors, government agencies, and enterprises using RRAS for VPN services may face increased risk. However, the requirement for user interaction and the absence of known exploits reduce immediate widespread impact. The lack of integrity or availability impact limits the scope to information disclosure only. Organizations that have migrated to supported Windows versions or disabled RRAS are not affected.

1. Upgrade all Windows 10 systems from Version 1507 (build 10.0.10240.0) to a supported and patched version of Windows 10 or later to ensure this and other vulnerabilities are addressed. 2. If RRAS is not required, disable the Routing and Remote Access Service entirely to eliminate the attack surface. 3. For systems that must use RRAS, restrict network exposure by limiting RRAS services to trusted networks only and enforce strong network segmentation. 4. Educate users to avoid connecting to untrusted networks or services that could trigger the user interaction needed for exploitation. 5. Monitor network traffic for unusual or unauthorized RRAS activity that could indicate exploitation attempts. 6. Implement network-level protections such as firewalls and intrusion detection systems to detect and block suspicious RRAS traffic. 7. Maintain an asset inventory to identify any legacy systems still running Windows 10 Version 1507 and prioritize their upgrade or isolation.