Cyber Resilience

CVE-2026-25173

High

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0005 15.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25173 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25173 is an integer overflow or wraparound vulnerability (CWE-190, CWE-122) in the Windows Routing and Remote Access Service (RRAS). Published on 2026-03-10, it carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An authorized attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R). Successful exploitation enables arbitrary code execution, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U).

The Microsoft Security Response Center provides an update guide with mitigation details at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25173.

EU & UK References

Vulnerability details

Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Integer overflow in RRAS service enables remote authenticated RCE from low-privileged network access, directly mapping to exploitation of remote services for initial/unauthorized access and subsequent privilege escalation to achieve full system impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34329Same product: Microsoft Windows 10 1607
CVE-2026-26180Same product: Microsoft Windows 10 1607
CVE-2026-23669Same product: Microsoft Windows 10 1607
CVE-2026-40398Same product: Microsoft Windows 10 1607
CVE-2026-25188Same product: Microsoft Windows 10 1607
CVE-2026-33837Same product: Microsoft Windows 10 1607
CVE-2026-40407Same product: Microsoft Windows 10 1607
CVE-2026-35415Same product: Microsoft Windows 10 1607
CVE-2026-40377Same product: Microsoft Windows 10 1607
CVE-2026-34343Same product: Microsoft Windows 10 1607

Affected Assets

microsoft
windows 10 1607
≤ 10.0.14393.8957 · ≤ 10.0.14393.8957
microsoft
windows 10 1809
≤ 10.0.17763.8511 · ≤ 10.0.17763.8511
microsoft
windows 10 21h2
≤ 10.0.19044.7058 · ≤ 10.0.19044.7058 · ≤ 10.0.19044.7058
microsoft
windows 10 22h2
≤ 10.0.19045.7058 · ≤ 10.0.19045.7058 · ≤ 10.0.19045.7058
microsoft
windows 11 23h2
≤ 10.0.22631.6783 · ≤ 10.0.22631.6783
microsoft
windows 11 24h2
≤ 10.0.26100.7979 · ≤ 10.0.26100.7979
microsoft
windows 11 25h2
≤ 10.0.26200.7979 · ≤ 10.0.26200.7979
microsoft
windows 11 26h1
≤ 10.0.28000.1719 · ≤ 10.0.28000.1719
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.8957
+4 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification and timely remediation of the integer overflow flaw in RRAS via patching as provided by Microsoft.

prevent

Enforces validation of network inputs to RRAS to prevent integer overflows from malformed data causing wraparound and code execution.

prevent

Implements memory protections like ASLR and DEP that hinder successful exploitation of the integer overflow for arbitrary code execution.

References