CVE-2025-53806: 
vulnerability analysis and mitigation

A buffer over-read vulnerability in Windows Routing and Remote Access Service (RRAS) was disclosed on September 9, 2025. The vulnerability, tracked as CVE-2025-53806, affects multiple versions of Windows Server including Server 2008 through Server 2025. This security flaw allows unauthorized attackers to disclose information over a network (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The technical assessment indicates it is a network-based attack with low attack complexity, requiring no privileges but needs user interaction. The vulnerability is classified under CWE-125 (Out-of-bounds Read) and CWE-126 (Buffer Over-read) (NVD).

The vulnerability primarily affects confidentiality, with a High impact rating for information disclosure, while having no direct impact on system integrity or availability. The buffer over-read condition could allow attackers to access sensitive information from the affected systems (NVD).

Microsoft has released security updates to address this vulnerability across affected Windows Server versions, including Server 2008 SP2, Server 2012/2012 R2, Server 2016, Server 2019, Server 2022, and Server 2025. Users are advised to apply the latest security updates (Microsoft).