CVE-2025-29958 is a vulnerability identified in Microsoft Windows 10 Version 1809, specifically affecting the Windows Routing and Remote Access Service (RRAS). The issue is classified under CWE-908, which pertains to the use of uninitialized resources. In this context, the vulnerability arises because RRAS improperly handles certain resources without initializing them before use. This flaw can be exploited by an unauthorized attacker over a network to disclose sensitive information. The vulnerability does not require any privileges (PR:N) but does require user interaction (UI:R), meaning an attacker might need to trick a user into performing some action to trigger the exploit. The attack vector is network-based (AV:N), making it remotely exploitable. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The impact primarily affects confidentiality (C:H), with no impact on integrity (I:N) or availability (A:N). The scope remains unchanged (S:U), meaning the vulnerability affects only the vulnerable component and does not propagate to other components. There are no known exploits in the wild as of the publication date, and no patches have been linked yet. The vulnerability could allow attackers to gain unauthorized access to sensitive information transmitted or processed by RRAS, potentially exposing network configuration details or other data that could facilitate further attacks or reconnaissance. Given that RRAS is often used to provide VPN and routing services, exploitation could compromise the confidentiality of network communications or internal network topology information.

For European organizations, this vulnerability poses a risk primarily to confidentiality of network data, especially for entities relying on Windows 10 Version 1809 systems running RRAS for remote access or routing services. Organizations in sectors such as finance, government, healthcare, and critical infrastructure that use RRAS for VPN or remote connectivity could face exposure of sensitive internal network information. This could aid attackers in mapping networks or stealing credentials indirectly, increasing the risk of subsequent targeted attacks. Since the vulnerability requires user interaction, phishing or social engineering campaigns could be used to trigger the exploit. The lack of integrity or availability impact reduces the risk of direct service disruption or data manipulation, but the confidentiality breach alone can have serious compliance and operational consequences under European data protection regulations like GDPR. Additionally, many European organizations still operate legacy Windows 10 systems, making this vulnerability relevant. The absence of known exploits in the wild currently limits immediate risk, but the medium severity score and network attack vector warrant proactive mitigation.

European organizations should prioritize upgrading or patching affected Windows 10 Version 1809 systems running RRAS as soon as vendor patches become available. In the interim, organizations can reduce exposure by disabling RRAS if it is not required or limiting its network exposure through firewall rules and network segmentation. Monitoring network traffic for unusual RRAS activity and implementing strict access controls on remote access services can help detect and prevent exploitation attempts. User awareness training to recognize and avoid social engineering or phishing attempts that could trigger the vulnerability is essential. Additionally, organizations should audit their environment to identify all instances of Windows 10 Version 1809 with RRAS enabled and consider upgrading to supported Windows versions with ongoing security updates. Employing network intrusion detection systems (NIDS) tuned to detect anomalous RRAS traffic patterns may provide early warning of exploitation attempts. Finally, maintaining an up-to-date inventory of vulnerable assets and applying defense-in-depth strategies will reduce the overall risk.