CVE-2025-49663: 
vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability was discovered in Windows Routing and Remote Access Service (RRAS), identified as CVE-2025-49663. The vulnerability was first reported on June 9, 2025, and was officially analyzed by NIST on July 15, 2025. This security flaw affects multiple versions of Microsoft Windows Server, including Server 2008, 2012, 2016, 2019, 2022, and 2025 (NVD, CVE).

The vulnerability is classified as CWE-122 (Heap-based Buffer Overflow) and has received a CVSS v3.1 base score of 8.8 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction. The impact potential is high across confidentiality, integrity, and availability (NVD).

The vulnerability allows an unauthorized attacker to execute arbitrary code over a network through the Windows Routing and Remote Access Service. This could potentially lead to complete system compromise, allowing attackers to gain control over affected systems (CVE).

Microsoft has identified affected versions of Windows Server and is tracking this vulnerability. The affected versions include Windows Server 2008 through 2025, with specific version numbers: Server 2025 (versions up to 10.0.26100.4652), Server 2016 (versions up to 10.0.14393.8246), Server 2019 (versions up to 10.0.17763.7558), Server 2022 (versions up to 10.0.20348.3932), and Server 2022 23H2 (versions up to 10.0.25398.1732) (NVD).