CVE-2025-54096 is a security vulnerability classified as CWE-125 (Out-of-bounds Read) affecting Microsoft Windows Server 2019, specifically version 10.0.17763.0. The flaw exists in the Windows Routing and Remote Access Service (RRAS), a component that provides routing and VPN services. An out-of-bounds read occurs when the software reads memory outside the intended buffer boundaries, potentially leaking sensitive information. This vulnerability can be exploited remotely over the network without requiring any privileges (PR:N) but does require user interaction (UI:R), such as sending specially crafted network packets to the RRAS service. The vulnerability impacts confidentiality (C:H) by allowing unauthorized disclosure of information, but it does not affect integrity or availability. The CVSS vector indicates low attack complexity (AC:L) and no privileges required, making exploitation feasible for attackers with network access. No known exploits have been reported in the wild, and no official patches have been released as of the published date. The vulnerability was reserved in mid-July 2025 and published in early September 2025. RRAS is commonly used in enterprise environments for VPN and routing, so exploitation could expose sensitive internal network information, aiding further attacks or reconnaissance.

For European organizations, the primary impact is the unauthorized disclosure of sensitive information from Windows Server 2019 systems running RRAS. This could include internal routing information, network configuration details, or other memory-resident data that attackers can leverage for lateral movement or targeted attacks. Confidentiality breaches can lead to exposure of sensitive corporate or customer data, potentially violating GDPR and other data protection regulations, resulting in legal and financial consequences. Since the vulnerability does not affect system integrity or availability, direct service disruption is unlikely. However, the information disclosure could facilitate more severe attacks, such as privilege escalation or ransomware deployment. Organizations with critical infrastructure, government networks, or enterprises heavily reliant on RRAS for VPN access are at higher risk. The lack of a patch means organizations must rely on network-level mitigations and monitoring to reduce exposure.

1. Immediately restrict RRAS exposure by limiting network access to trusted hosts and networks only, using firewalls and network segmentation. 2. Disable RRAS if it is not essential for business operations to eliminate the attack surface. 3. Monitor network traffic for unusual or malformed packets targeting RRAS ports and protocols, employing intrusion detection/prevention systems with updated signatures. 4. Implement strict access controls and network-level authentication to reduce unauthorized access attempts. 5. Apply the principle of least privilege to accounts and services interacting with RRAS. 6. Stay informed on Microsoft security advisories and apply patches promptly once available. 7. Conduct regular security audits and vulnerability assessments focusing on RRAS configurations and network exposure. 8. Educate network administrators about the risks and signs of exploitation attempts related to this vulnerability.