CVE-2025-49671: 
vulnerability analysis and mitigation

A vulnerability in Windows Routing and Remote Access Service (RRAS) was identified as CVE-2025-49671, discovered and disclosed on July 8, 2025. This security flaw involves the exposure of sensitive information to unauthorized actors, potentially allowing attackers to disclose information over a network. The vulnerability affects multiple Microsoft Windows Server versions, including Server 2008, 2012, 2016, 2019, 2022, and 2025 (NVD, CVE Mitre).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. It is categorized under two Common Weakness Enumeration (CWE) categories: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-125 (Out-of-bounds Read) (NVD).

The vulnerability primarily affects the confidentiality of the system, with a High impact rating for information disclosure while having No impact on integrity and availability. The attack vector is Network-based, requiring user interaction but no privileges, making it a significant concern for system administrators (NVD).

Microsoft has released security updates for affected systems including Windows Server 2008, 2012, 2016, 2019, 2022, and 2025. The specific versions that need updating are: Server 2025 versions up to (excluding) 10.0.26100.4652, Server 2016 versions up to (excluding) 10.0.14393.8246, Server 2019 versions up to (excluding) 10.0.17763.7558, Server 2022 versions up to (excluding) 10.0.20348.3932, and Server 2022 23h2 versions up to (excluding) 10.0.25398.1732 (NVD).