CVE-2025-29836 is a medium-severity vulnerability identified as an out-of-bounds read (CWE-125) in the Windows Routing and Remote Access Service (RRAS) component of Microsoft Windows 10 Version 1809 (build 10.0.17763.0). This vulnerability allows an unauthorized attacker to remotely trigger an out-of-bounds read condition by sending specially crafted network packets to a system running the affected RRAS service. The flaw results in the disclosure of sensitive information from memory, potentially leaking data that should remain confidential. The vulnerability does not allow code execution or system modification but compromises confidentiality by exposing information over the network. Exploitation requires no privileges (PR:N) but does require user interaction (UI:R), such as the user connecting to a malicious network or service. The attack vector is network-based (AV:N), making it remotely exploitable without physical access. The vulnerability scope is unchanged (S:U), meaning the impact is limited to the vulnerable component. The CVSS v3.1 base score is 6.5, reflecting a medium severity level due to the high confidentiality impact but no integrity or availability impact. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in March 2025 and published in May 2025. This vulnerability is significant because RRAS is commonly used in enterprise environments to provide VPN, routing, and remote access capabilities, and an information disclosure flaw could aid attackers in reconnaissance or further attacks.

For European organizations, this vulnerability poses a risk primarily to confidentiality of sensitive information transmitted or processed by RRAS-enabled Windows 10 Version 1809 systems. Enterprises relying on RRAS for VPN or remote access services could have sensitive network configuration or user data exposed to attackers capable of network access. This could facilitate further targeted attacks, including credential theft or lateral movement within networks. The impact is heightened in sectors with strict data protection regulations such as GDPR, where unauthorized data disclosure can lead to compliance violations and financial penalties. Additionally, organizations with legacy systems still running Windows 10 Version 1809 are at risk, as this version is no longer the latest and may not receive automatic updates. The lack of known exploits reduces immediate risk, but the presence of a publicly disclosed vulnerability increases the likelihood of future exploit development. The requirement for user interaction suggests that social engineering or phishing campaigns could be used to lure users into connecting to malicious networks, increasing the attack surface. Overall, the vulnerability could undermine trust in remote access infrastructure and expose sensitive organizational data if exploited.

European organizations should prioritize identifying and inventorying all systems running Windows 10 Version 1809 with RRAS enabled. Given the absence of an official patch, interim mitigations include disabling RRAS services on systems where remote access is not essential. For systems requiring RRAS, organizations should restrict network access to trusted sources using firewall rules and network segmentation to limit exposure. Employ network monitoring to detect anomalous RRAS traffic patterns indicative of exploitation attempts. Educate users about the risks of connecting to untrusted networks and implement strict policies to prevent connections to unknown or suspicious VPN endpoints. Consider upgrading affected systems to a supported Windows version with security updates, as Windows 10 Version 1809 is an older release with limited support. Additionally, apply defense-in-depth controls such as endpoint detection and response (EDR) solutions to detect suspicious memory access or information disclosure attempts. Maintain up-to-date backups and incident response plans tailored to potential information disclosure incidents. Finally, monitor Microsoft advisories for forthcoming patches and apply them promptly once available.