CVE-2025-54113: 
vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability has been identified in Windows Routing and Remote Access Service (RRAS) that affects multiple Windows Server versions. The vulnerability, tracked as CVE-2025-54113, was disclosed on September 9, 2025. This security flaw allows an unauthorized attacker to execute code over a network, posing a significant risk to affected systems (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), but does need user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). The vulnerability is classified as CWE-122 (Heap-based Buffer Overflow) (NVD).

The vulnerability affects multiple versions of Windows Server, including Server 2008 through Server 2025, in both regular and Server Core installations. If successfully exploited, the vulnerability allows attackers to execute arbitrary code with high impact on system confidentiality, integrity, and availability (AttackerKB).

Microsoft has released security updates to address this vulnerability. System administrators are advised to apply the latest security patches to affected systems (Microsoft).