CVE-2025-60713: 
vulnerability analysis and mitigation

An untrusted pointer dereference vulnerability exists in Windows Routing and Remote Access Service (RRAS) that allows an authorized attacker to elevate privileges locally. This vulnerability was disclosed on November 11, 2025, and is tracked as CVE-2025-60713. The vulnerability affects multiple versions of Windows Server, including Server 2016, 2019, 2022, and 2025 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-822 (Untrusted Pointer Dereference). The issue specifically affects the Windows Routing and Remote Access Service component (NVD).

Successful exploitation of this vulnerability allows an authorized attacker to elevate privileges locally on affected systems. This could potentially lead to complete system compromise with high impacts on confidentiality, integrity, and availability (Rapid7).

Microsoft has released security updates to address this vulnerability. Affected versions include Windows Server 2016, 2019, 2022, and 2025. The following KB articles provide patches: KB5068864 for Server 2016, KB5068791 for Server 2019, KB5068787 for Server 2022, and KB5068861 for Server 2025 (Fortra).