CVE-2025-29961 is a medium-severity vulnerability identified as an out-of-bounds read (CWE-125) in the Windows Routing and Remote Access Service (RRAS) component of Microsoft Windows 10 Version 1809 (build 10.0.17763.0). This vulnerability allows an unauthorized attacker to remotely trigger an out-of-bounds read condition, which can lead to the disclosure of sensitive information over the network. Specifically, the flaw exists because RRAS improperly handles certain network packets or requests, causing it to read memory beyond the intended buffer boundaries. This memory disclosure can reveal sensitive data residing in adjacent memory areas, potentially including credentials, tokens, or other confidential information. The vulnerability does not require any privileges or authentication but does require user interaction, likely in the form of the victim system processing maliciously crafted network traffic. The CVSS v3.1 base score is 6.5, reflecting a medium severity with a high impact on confidentiality but no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that mitigation may rely on workarounds or network-level controls until an official fix is released. The vulnerability affects Windows 10 Version 1809, a version that, while superseded by newer releases, remains in use in some enterprise environments, especially where legacy systems or applications require it. The out-of-bounds read can be leveraged by attackers to gain unauthorized access to sensitive information remotely, which could facilitate further attacks such as credential theft or lateral movement within a network.

For European organizations, this vulnerability poses a significant risk to confidentiality, particularly in sectors where Windows 10 Version 1809 is still operational, such as industrial control systems, healthcare, or government agencies with legacy infrastructure. The ability for an unauthenticated attacker to disclose sensitive information remotely could lead to data breaches involving personal data protected under GDPR, intellectual property theft, or exposure of internal network details. Although the vulnerability does not affect system integrity or availability directly, the information disclosed could be used to mount more damaging attacks, increasing the overall risk posture. Organizations relying on RRAS for VPN or remote access services are especially at risk, as attackers could exploit this vector to gather intelligence on network configurations or credentials. The lack of known exploits in the wild currently reduces immediate risk, but the presence of a public CVE and medium severity score means attackers may develop exploits in the near future. European organizations must consider the potential regulatory and reputational consequences of data leakage resulting from this vulnerability.

Given the absence of an official patch at this time, European organizations should implement the following specific mitigations: 1) Disable or restrict the use of RRAS on Windows 10 Version 1809 systems where it is not strictly necessary, minimizing the attack surface. 2) Employ network segmentation and firewall rules to limit exposure of RRAS services to untrusted networks, especially the internet. 3) Monitor network traffic for anomalous or malformed packets targeting RRAS ports to detect potential exploitation attempts. 4) Apply strict access controls and multi-factor authentication on remote access services to reduce the risk of unauthorized access. 5) Plan and prioritize upgrading affected systems to a supported and patched Windows version that addresses this vulnerability. 6) Conduct internal audits to identify all instances of Windows 10 Version 1809 running RRAS and assess their necessity. 7) Educate IT staff about this vulnerability and encourage vigilance for any suspicious activity related to RRAS. These targeted actions go beyond generic advice by focusing on reducing RRAS exposure, enhancing detection, and accelerating system upgrades.