CVE-2025-21339

CVE-2025-21339 is a remote code execution vulnerability affecting the Windows Telephony Service, published on 2025-01-14. It stems from a heap-based buffer overflow (CWE-122) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for network-accessible exploitation with low complexity, though requiring user interaction.

A remote unauthenticated attacker can exploit this vulnerability by tricking a user into performing an action, such as interacting with a maliciously crafted file or network resource processed by the Windows Telephony Service. Successful exploitation allows arbitrary code execution in the context of the service, potentially leading to high-impact compromise of confidentiality, integrity, and availability on the targeted Windows system.

Microsoft's Security Response Center provides an update guide for mitigation at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21339, recommending application of available patches to affected Windows versions.