CVE-2025-29960 is a vulnerability classified under CWE-125 (Out-of-bounds Read) found in the Windows Routing and Remote Access Service (RRAS) component of Microsoft Windows 10 Version 1507 (build 10.0.10240.0). The flaw allows an attacker to remotely trigger an out-of-bounds read condition, enabling unauthorized disclosure of information over the network. The vulnerability does not require any privileges but does require user interaction, such as clicking a malicious link or opening a crafted network packet. The out-of-bounds read can leak sensitive memory contents, potentially exposing confidential data to attackers. The CVSS 3.1 base score is 6.5 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but user interaction needed, and a high impact on confidentiality with no impact on integrity or availability. No public exploits are known at this time, and no patches have been released yet, though the vulnerability is officially published and tracked. RRAS is a service used to provide routing and remote access capabilities, often leveraged in VPN and dial-up networking scenarios. The vulnerability's presence in an older Windows 10 version suggests that systems not updated or upgraded remain at risk. The attack scope is limited to affected Windows 10 Version 1507 systems with RRAS enabled and reachable over the network. The vulnerability could be exploited by sending specially crafted network packets that cause the out-of-bounds read, leaking memory contents to the attacker.

For European organizations, the primary impact of CVE-2025-29960 is the potential unauthorized disclosure of sensitive information due to the out-of-bounds read in RRAS. This could lead to leakage of credentials, configuration data, or other confidential information that attackers can leverage for further attacks such as lateral movement or privilege escalation. Organizations relying on legacy Windows 10 systems, especially those still using Version 1507, are at higher risk. Sectors with extensive remote access infrastructure, such as government, finance, healthcare, and critical infrastructure, could face increased exposure. The confidentiality breach could undermine trust, cause regulatory compliance issues under GDPR, and result in financial or reputational damage. Since the vulnerability requires user interaction, phishing or social engineering campaigns could be used to trigger exploitation. The lack of integrity or availability impact means systems remain operational but compromised in confidentiality. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially if attackers develop weaponized exploits. The medium severity rating suggests that while serious, the threat is not critical, but still warrants prompt attention.

To mitigate CVE-2025-29960, European organizations should first identify and inventory all systems running Windows 10 Version 1507 with RRAS enabled. Where possible, disable RRAS if it is not essential to business operations to eliminate the attack surface. If RRAS is required, restrict network access to trusted sources using firewall rules and network segmentation to limit exposure. Educate users about the risks of interacting with unsolicited network prompts or links that could trigger the vulnerability. Monitor network traffic for unusual or malformed packets targeting RRAS services. Apply any security updates or patches released by Microsoft promptly once available, as no patch is currently provided. Consider upgrading affected systems to newer Windows 10 versions or Windows 11, which are less likely to be vulnerable. Employ endpoint detection and response (EDR) tools to detect anomalous behavior indicative of exploitation attempts. Finally, implement strong logging and alerting on RRAS activity to enable rapid incident response.