CVE-2025-29958 is a vulnerability classified under CWE-908 (Use of Uninitialized Resource) affecting Microsoft Windows 10 Version 1507 (build 10240). The flaw exists within the Routing and Remote Access Service (RRAS), a component responsible for network routing and VPN services. Specifically, the vulnerability arises because RRAS uses a resource that has not been properly initialized before use, which can lead to unintended disclosure of sensitive information over the network. An attacker without privileges (PR:N) can exploit this remotely (AV:N) but requires user interaction (UI:R), such as convincing a user to initiate a connection or perform an action that triggers the vulnerable code path. The vulnerability impacts confidentiality (C:H) but does not affect integrity or availability. The CVSS v3.1 base score is 6.5, indicating a medium severity level. No public exploits or patches are currently available, but the vulnerability has been officially published and reserved by Microsoft. The flaw is particularly relevant to environments that still operate the original Windows 10 release version, which is now outdated and out of mainstream support. RRAS is often used in enterprise environments for VPN and routing, so the vulnerability could expose sensitive network information if exploited.

For European organizations, the primary impact is the potential unauthorized disclosure of sensitive information transmitted or processed by RRAS on Windows 10 Version 1507 systems. This could include network configuration details, routing information, or potentially sensitive VPN-related data. Such leakage could aid attackers in reconnaissance or further attacks, especially in critical infrastructure, government, or financial sectors where RRAS might be deployed. Although the vulnerability does not allow code execution or system compromise directly, the confidentiality breach could lead to secondary attacks. The requirement for user interaction reduces the likelihood of widespread automated exploitation but does not eliminate risk in targeted attacks. Organizations still running legacy Windows 10 systems, particularly in industrial control systems or legacy IT environments, are at higher risk. The absence of known exploits limits immediate impact but also underscores the importance of proactive mitigation.

1. Upgrade affected systems from Windows 10 Version 1507 to a supported and patched Windows version, as this early build is no longer supported and contains multiple known vulnerabilities. 2. If upgrading is not immediately possible, disable the Routing and Remote Access Service (RRAS) if it is not essential to business operations to eliminate the attack surface. 3. Implement network segmentation and strict firewall rules to limit exposure of RRAS services to untrusted networks. 4. Educate users about social engineering risks since exploitation requires user interaction. 5. Monitor network traffic for unusual patterns or unauthorized access attempts to RRAS services. 6. Stay alert for official patches or advisories from Microsoft and apply them promptly once available. 7. Conduct vulnerability assessments focusing on legacy systems and services to identify and remediate similar risks.