CVE-2025-21371

Q: What is the severity of CVE-2025-21371?

CVE-2025-21371 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on Windows systems by exploiting a heap-based buffer overflow in the Telephony Service. It affects Windows systems with the Telephony Service enabled, particularly servers and workstations running vulnerable versions.

8.8 HIGH

Remote Code Execution Buffer Overflow

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Windows systems by exploiting a heap-based buffer overflow in the Telephony Service. It affects Windows systems with the Telephony Service enabled, particularly servers and workstations running vulnerable versions.

💻 Affected Systems

Products:

Windows Telephony Service

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with Telephony Service enabled are vulnerable. This service may not be running by default on all Windows installations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, enabling data theft, ransomware deployment, or persistent backdoor installation across the network.

🟠

Likely Case

Remote code execution leading to malware installation, credential harvesting, and lateral movement within the network.

🟢

If Mitigated

Limited impact due to network segmentation, restricted service permissions, and endpoint protection blocking exploitation attempts.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires network access to the Telephony Service port and may require specific conditions to trigger the buffer overflow.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security update KB5034441 or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21371

Restart Required: Yes

Instructions:

1. Open Windows Update settings. 2. Check for updates. 3. Install security update KB5034441. 4. Restart the system when prompted.

🔧 Temporary Workarounds

Disable Telephony Service

Windows

Stops the vulnerable service to prevent exploitation

sc config TapiSrv start= disabled
sc stop TapiSrv

Block Network Access

Windows

Restrict network access to Telephony Service port using firewall

netsh advfirewall firewall add rule name="Block Telephony Service" dir=in action=block protocol=TCP localport=1720

🧯 If You Can't Patch

Implement network segmentation to isolate systems with Telephony Service
Deploy endpoint detection and response (EDR) solutions to detect exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if Telephony Service is running: sc query TapiSrv

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5034441 is installed: wmic qfe list | findstr KB5034441

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with TapiSrv.exe parent process
Unexpected service crashes in System logs

Network Indicators:

Unusual traffic to port 1720 (H.323) from unexpected sources
Suspicious network connections to Telephony Service

SIEM Query:

source="windows" AND (event_id=4688 AND process_name="TapiSrv.exe") OR (event_id=1000 AND faulting_module="tapi32.dll")

📊 Metadata

CVE ID: CVE-2025-21371

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.88% exploit probability (75th percentile)

Published: February 11, 2025

Last Updated: March 3, 2025

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Telephony Service

Block Network Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities