CVE-2025-26672: 
vulnerability analysis and mitigation

A buffer over-read vulnerability was discovered in Windows Routing and Remote Access Service (RRAS), identified as CVE-2025-26672. The vulnerability was disclosed on April 8, 2025, and affects various versions of Microsoft Windows operating systems. This security flaw allows unauthorized attackers to disclose information over a network (NVD, Rapid7).

The vulnerability is classified as CWE-126 (Buffer Over-read) and has received a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

The vulnerability primarily affects the confidentiality of the system, with the potential for information disclosure over a network. The CVSS scoring indicates high impact on confidentiality (C:H) while maintaining no impact on integrity (I:N) and availability (A:N) (NVD).

Microsoft has released security updates to address this vulnerability across multiple Windows versions, including Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. These updates are available through various KB articles including KB5055518, KB5055519, KB5055521, KB5055523, KB5055526, KB5055527, and KB5055528 (Rapid7).