CVE-2025-53138: 
vulnerability analysis and mitigation

A vulnerability identified as CVE-2025-53138 was discovered in Windows Routing and Remote Access Service (RRAS). The vulnerability was disclosed on August 12, 2025, and involves the use of an uninitialized resource that could potentially expose sensitive information. The affected systems include multiple versions of Windows Server, including Server 2008, 2012, 2016, 2019, 2022, and 2025 (NVD).

The vulnerability is classified as CWE-908 (Use of Uninitialized Resource) and has received a CVSS v3.1 base score of 5.7 (MEDIUM). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N, indicating network vector attack accessibility, low attack complexity, required low privileges, user interaction requirement, and high confidentiality impact (NVD).

The vulnerability allows an authorized attacker to disclose information over a network through the Windows Routing and Remote Access Service. The CVSS metrics indicate high impact on confidentiality while maintaining no direct impact on integrity or availability of the system (NVD).

Microsoft has identified the affected versions of Windows Server and provided version-specific update information. The affected versions include Windows Server 2008 through 2025, with specific version numbers for each release requiring updates. Updates are available for Windows Server 2025 (versions up to 10.0.26100.4851), Server 2016 (versions up to 10.0.14393.8330), Server 2019 (versions up to 10.0.17763.7678), Server 2022 (versions up to 10.0.20348.3989), and Server 2022 23H2 (versions up to 10.0.25398.1791) (NVD).