CVE-2025-54095: 
vulnerability analysis and mitigation

CVE-2025-54095 is an out-of-bounds read vulnerability affecting Windows Routing and Remote Access Service (RRAS). The vulnerability was disclosed on September 9, 2025, and affects multiple versions of Windows Server, including Server 2008 through Server 2025. This security flaw allows an unauthorized attacker to disclose information over a network (NVD).

The vulnerability is classified as CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 6.5 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), but does need user interaction (UI:R). The scope is unchanged (S:U), with high impact on confidentiality (C:H) but no impact on integrity (I:N) or availability (A:N) (NVD).

The vulnerability primarily affects the confidentiality of information, allowing unauthorized disclosure of data through the Windows Routing and Remote Access Service. The high confidentiality impact rating suggests that sensitive information could be exposed to unauthorized parties (NVD).

Microsoft has released security updates to address this vulnerability across affected Windows Server versions, including Server 2008 SP2, Server 2012/R2, Server 2016, Server 2019, Server 2022, and Server 2025, including both full and core installations (Microsoft).