CVE-2025-21201

Q: What is the severity of CVE-2025-21201?

CVE-2025-21201 has a CVSS score of 8.8 (HIGH). This vulnerability in Windows Telephony Server allows remote attackers to execute arbitrary code on affected systems by sending specially crafted network packets. It affects Windows servers and workstations running vulnerable versions of the telephony service. Successful exploitation could lead to complete system compromise.

8.8 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability in Windows Telephony Server allows remote attackers to execute arbitrary code on affected systems by sending specially crafted network packets. It affects Windows servers and workstations running vulnerable versions of the telephony service. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

Windows Telephony Server

Versions: Windows Server 2019, Windows Server 2022, Windows 10, Windows 11

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with Telephony Server enabled are vulnerable. Many enterprise environments may have this service disabled by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, enabling data theft, ransomware deployment, or persistent backdoor installation across the network.

🟠

Likely Case

Remote code execution leading to initial foothold for lateral movement, credential harvesting, or deployment of additional malware payloads.

🟢

If Mitigated

Limited impact with proper network segmentation and endpoint protection, potentially only service disruption if exploitation attempts are blocked.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires network access to the Telephony Server port. No authentication bypass is needed if service is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Windows Security Update KB5034441 (or later)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21201

Restart Required: Yes

Instructions:

1. Apply Windows Update KB5034441 through Windows Update or WSUS. 2. Restart affected systems. 3. Verify patch installation via systeminfo or Get-HotFix PowerShell command.

🔧 Temporary Workarounds

Disable Telephony Server Service

Windows

Disable the Telephony Server service if not required for business operations

sc config TapiSrv start= disabled
sc stop TapiSrv

Block Network Access

Windows

Block inbound network access to Telephony Server ports using firewall rules

New-NetFirewallRule -DisplayName "Block Telephony Server" -Direction Inbound -Protocol TCP -LocalPort 1720,5060 -Action Block

🧯 If You Can't Patch

Implement strict network segmentation to isolate Telephony Server systems
Deploy endpoint detection and response (EDR) solutions with behavioral monitoring for exploit attempts

🔍 How to Verify

Check if Vulnerable:

Check if Telephony Server service is running: Get-Service TapiSrv | Select Status, StartType

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5034441 is installed: Get-HotFix -Id KB5034441

📡 Detection & Monitoring

Log Indicators:

Event ID 4625 (failed logon) from Telephony Server
Unexpected service crashes in System logs
New process creation from TapiSrv.exe

Network Indicators:

Unusual traffic to TCP ports 1720 or 5060
Malformed packets to Telephony Server ports
Outbound connections from Telephony Server to unknown IPs

SIEM Query:

source="windows" AND (event_id=4625 OR process_name="TapiSrv.exe") AND dest_port IN (1720, 5060)

📊 Metadata

CVE ID: CVE-2025-21201

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-415

EPSS Score: 0.66% exploit probability (70.6th percentile)

Published: February 11, 2025

Last Updated: February 28, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21201 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Telephony Server Service

Block Network Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities