CVE-2025-54095 is a security vulnerability identified as an out-of-bounds read (CWE-125) in the Windows Routing and Remote Access Service (RRAS) component of Microsoft Windows Server 2019, specifically version 10.0.17763.0. This vulnerability allows an unauthorized attacker to remotely trigger an out-of-bounds read condition, which can lead to the disclosure of sensitive information over the network. The flaw arises because RRAS improperly handles certain network packets or requests, causing it to read memory outside the intended buffer boundaries. This memory disclosure can reveal potentially sensitive data residing in adjacent memory locations, which may include credentials, configuration details, or other critical information. Exploitation does not require any prior authentication but does require some user interaction, likely in the form of sending crafted network traffic to the vulnerable service. The vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and user interaction required (UI:R). The impact is limited to confidentiality (C:H), with no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches or mitigations have been officially published yet. Given the nature of RRAS as a service that enables routing and remote access capabilities, this vulnerability could be exploited by attackers to gain unauthorized insight into internal network information, potentially aiding further attacks or reconnaissance efforts.

For European organizations, this vulnerability poses a significant risk primarily to confidentiality. Organizations using Windows Server 2019 with RRAS enabled—commonly found in enterprises providing VPN, routing, or remote access services—could have sensitive network information exposed to remote attackers. This exposure could facilitate further targeted attacks, such as lateral movement, credential theft, or network mapping. Given the medium severity and the requirement for user interaction, the immediate risk is moderate, but the potential for information leakage could be leveraged in multi-stage attacks. Critical infrastructure providers, financial institutions, and government agencies in Europe that rely on RRAS for secure remote connectivity could be particularly impacted. The lack of known exploits currently reduces immediate threat levels, but the absence of patches means organizations remain vulnerable until mitigations are applied. Additionally, the vulnerability could undermine compliance with European data protection regulations (e.g., GDPR) if sensitive data is disclosed.

European organizations should proactively audit their Windows Server 2019 deployments to identify systems running RRAS and assess exposure to external networks. Until an official patch is released, organizations should consider disabling RRAS if it is not essential or restrict RRAS access strictly through network segmentation and firewall rules to trusted IP addresses only. Implementing network intrusion detection systems (NIDS) to monitor for anomalous or malformed RRAS traffic can help detect exploitation attempts. Organizations should also enforce strict user interaction policies and educate users about the risks of interacting with unsolicited network prompts or connections. Regularly updating Windows Server systems with the latest security updates is critical once a patch becomes available. Additionally, conducting internal penetration testing and vulnerability scans focused on RRAS can help identify exploitable configurations. Finally, organizations should prepare incident response plans to quickly address any suspected exploitation.