CVE-2025-21203: 
vulnerability analysis and mitigation

A buffer over-read vulnerability has been identified in Windows Routing and Remote Access Service (RRAS), tracked as CVE-2025-21203. The vulnerability was disclosed on April 8, 2025, and affects various versions of Microsoft Windows Server, including Server 2012, 2016, 2019, 2022, and 2025 (NVD, Rapid7).

The vulnerability is classified as CWE-126 (Buffer Over-read) and has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

The vulnerability allows an unauthorized attacker to disclose information over a network through a buffer over-read condition in the Windows Routing and Remote Access Service. The CVSS scoring indicates high confidentiality impact, with no impact on integrity or availability (NVD).

Microsoft has released security updates to address this vulnerability across multiple Windows Server versions. The fixes are available through various KB articles: KB5055581 (Server 2012), KB5055557 (Server 2012 R2), KB5055521 (Server 2016), KB5055519 (Server 2019), KB5055526 (Server 2022 21H2/22H2), KB5055527 (Server 2022 23H2), and KB5055523 (Server 2025 24H2) (Rapid7).