CVE-2025-29961 is a medium-severity vulnerability classified as CWE-125 (Out-of-bounds Read) found in the Windows Routing and Remote Access Service (RRAS) component of Microsoft Windows 10 Version 1507 (build 10.0.10240.0). The vulnerability arises due to improper bounds checking in RRAS, which allows an attacker to send specially crafted network packets that cause the service to read memory outside the intended buffer boundaries. This out-of-bounds read can lead to unauthorized disclosure of sensitive information over the network. The attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R), such as the user initiating a connection or interaction with the RRAS service. The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component. The confidentiality impact is high (C:H), while integrity and availability impacts are none (I:N, A:N). The vulnerability was reserved in March 2025 and published in May 2025, with no known exploits in the wild and no patches currently available. RRAS is commonly used for VPN and routing services, so systems running legacy Windows 10 with RRAS enabled are vulnerable to information leakage attacks that could expose sensitive data to remote attackers.

For European organizations, the primary impact of CVE-2025-29961 is the potential unauthorized disclosure of sensitive information via the RRAS service on legacy Windows 10 Version 1507 systems. This could include internal network details, configuration data, or other memory-resident sensitive information that attackers can leverage for further attacks or espionage. Organizations in sectors such as government, critical infrastructure, telecommunications, and enterprises relying on RRAS for remote access or routing are at higher risk. The vulnerability does not allow code execution or service disruption but compromises confidentiality, which can lead to data breaches or intelligence gathering by threat actors. Since Windows 10 Version 1507 is an early release version, many organizations may have already upgraded; however, legacy systems still in use pose a risk. The lack of a patch increases exposure until mitigations or upgrades are applied. Attackers exploiting this vulnerability could gain insights into network topology or credentials, aiding subsequent attacks.

1. Disable the Routing and Remote Access Service (RRAS) on Windows 10 Version 1507 systems if it is not strictly necessary. 2. Restrict network access to RRAS services using firewall rules to limit exposure to trusted networks and IP addresses only. 3. Prioritize upgrading affected systems from Windows 10 Version 1507 to a supported and patched Windows version where this vulnerability is resolved. 4. Monitor network traffic for unusual or malformed packets targeting RRAS ports and services to detect potential exploitation attempts. 5. Implement network segmentation to isolate legacy systems running RRAS from sensitive parts of the network. 6. Educate users about the risks of interacting with unknown or untrusted network resources that could trigger user interaction-based attacks. 7. Stay informed on Microsoft security advisories for the release of patches or workarounds addressing CVE-2025-29961 and apply them promptly once available.