CVE-2025-29960 is a security vulnerability identified as an out-of-bounds read in the Windows Routing and Remote Access Service (RRAS) component of Microsoft Windows 10 Version 1809 (build 10.0.17763.0). This vulnerability is classified under CWE-125, indicating that it involves reading memory outside the intended buffer boundaries. The flaw allows an unauthorized attacker to remotely disclose sensitive information over the network without requiring any privileges or authentication, though user interaction is required to trigger the vulnerability. The vulnerability has a CVSS v3.1 base score of 6.5, categorizing it as medium severity. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), but requires user interaction (UI:R). The scope is unchanged (S:U), and the impact is high on confidentiality (C:H), with no impact on integrity (I:N) or availability (A:N). This means an attacker can potentially read sensitive memory contents from the affected system remotely, which could lead to leakage of confidential information such as credentials, cryptographic keys, or other sensitive data residing in memory. The vulnerability affects Windows 10 Version 1809, a legacy version of Windows 10, which is still in use in some environments. No public exploits are known at this time, and no patches have been linked yet, indicating that mitigation may rely on workarounds or limiting exposure until an official fix is released. The vulnerability was reserved in March 2025 and published in May 2025, reflecting recent discovery and disclosure.

For European organizations, this vulnerability poses a significant risk to confidentiality, particularly for entities that still operate Windows 10 Version 1809 systems with RRAS enabled and exposed to untrusted networks. RRAS is often used to provide VPN and routing services, so organizations using this service for remote access could inadvertently expose sensitive internal information if exploited. The out-of-bounds read could allow attackers to extract sensitive data remotely, potentially leading to further attacks such as credential theft or lateral movement within networks. Given the medium severity and the requirement for user interaction, the risk is moderate but non-negligible, especially in sectors with high-value data such as finance, healthcare, government, and critical infrastructure. The lack of known exploits reduces immediate risk, but the presence of an unpatched vulnerability in a network-facing service means attackers could develop exploits in the near future. European organizations with legacy systems or insufficient patch management are particularly vulnerable. The confidentiality impact could lead to regulatory consequences under GDPR if personal data is leaked.

To mitigate this vulnerability, European organizations should prioritize the following actions: 1) Identify and inventory all systems running Windows 10 Version 1809, especially those with RRAS enabled and exposed to external or untrusted networks. 2) Disable RRAS on systems where it is not strictly necessary to reduce the attack surface. 3) If RRAS is required, restrict its exposure by implementing strict network segmentation and firewall rules to limit access only to trusted IP addresses and networks. 4) Apply any available security updates or patches from Microsoft as soon as they are released. Since no patches are currently linked, monitor Microsoft security advisories closely. 5) Employ network intrusion detection and prevention systems (IDS/IPS) to monitor for anomalous RRAS traffic that could indicate exploitation attempts. 6) Educate users about the requirement for user interaction in exploitation to reduce the risk of social engineering or phishing that could trigger the vulnerability. 7) Consider upgrading affected systems to a supported and fully patched version of Windows 10 or Windows 11 to eliminate exposure to this legacy vulnerability. 8) Conduct regular vulnerability assessments and penetration tests focusing on RRAS and remote access services to detect potential exploitation.