CVE-2025-21303

CVE-2025-21303 is a remote code execution vulnerability in the Windows Telephony Service, stemming from a heap-based buffer overflow (CWE-122). Published on January 14, 2025, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for network-accessible exploitation with low complexity and no required privileges, though user interaction is necessary.

A remote unauthenticated attacker can exploit this vulnerability by tricking a user into performing a specific action, such as interacting with a maliciously crafted file or network resource handled by the Telephony Service. Successful exploitation allows arbitrary code execution in the context of the service, potentially leading to high-impact compromise of confidentiality, integrity, and availability on the affected Windows system.

Microsoft's Security Response Center provides an update guide for CVE-2025-21303 at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21303, which details available patches and mitigation recommendations for affected Windows versions. Security practitioners should prioritize applying these updates to prevent exploitation.