Cyber Resilience

CVE-2025-54106

High

Published: 09 September 2025

Published
09 September 2025
Modified
02 October 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0043 63.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54106 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-54106 is an integer overflow or wraparound vulnerability in the Windows Routing and Remote Access Service (RRAS), published on 2025-09-09T17:15:55.707. It affects Windows systems with RRAS enabled, allowing an unauthorized attacker to execute arbitrary code over a network. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is linked to CWE-190.

Attackers can exploit this remotely without privileges by luring users into performing an action, such as interacting with a malicious network packet or resource processed by RRAS. Exploitation triggers the integer overflow, enabling code execution with RRAS service privileges, which could result in high-impact outcomes like unauthorized access, data exfiltration, system takeover, or persistence.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54106 details the issue and urges applying the released security update as the primary mitigation.

EU & UK References

Vulnerability details

Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Integer overflow RCE in exposed RRAS service directly enables remote exploitation of a network-accessible Windows service without authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-47998Same product: Microsoft Windows Server 2012
CVE-2025-21309Same product: Microsoft Windows Server 2012
CVE-2026-25172Same product: Microsoft Windows Server 2012
CVE-2025-49735Same product: Microsoft Windows Server 2012
CVE-2026-26111Same product: Microsoft Windows Server 2012
CVE-2025-48824Same product: Microsoft Windows Server 2012
CVE-2025-49729Same product: Microsoft Windows Server 2012
CVE-2025-54113Same product: Microsoft Windows Server 2012
CVE-2025-49672Same product: Microsoft Windows Server 2012
CVE-2025-49668Same product: Microsoft Windows Server 2012

Affected Assets

microsoft
windows server 2012
r2
microsoft
windows server 2016
≤ 10.0.14393.8422
microsoft
windows server 2019
≤ 10.0.17763.7792
microsoft
windows server 2022
≤ 10.0.20348.4106
microsoft
windows server 2022 23h2
≤ 10.0.25398.1849
microsoft
windows server 2025
≤ 10.0.26100.6508

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the integer overflow flaw in RRAS through application of the Microsoft security update.

prevent

Minimizes attack surface by restricting systems to essential capabilities, such as disabling RRAS when not required.

prevent

Enforces boundary protections to monitor and control network communications, limiting exposure of RRAS to unauthorized remote attackers.

References