Login Sign Up

CVE-2025-24056

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A heap-based buffer overflow vulnerability in Windows Telephony Server allows remote attackers to execute arbitrary code without authentication. This affects Windows systems running the vulnerable Telephony Server component. Attackers can exploit this over a network to potentially take full control of affected systems.

💻 Affected Systems

Products:
  • Windows Telephony Server
Versions: Specific versions not yet detailed in public advisory
Operating Systems: Windows Server and Windows Desktop versions with Telephony Server enabled
Default Config Vulnerable: ⚠️ Yes
Notes: Systems with Telephony Server enabled are vulnerable. This service may not be enabled by default on all Windows installations.

📦 What is this software?

Windows 10 1507 by Microsoft

View all CVEs affecting Windows 10 1507 →

Windows 10 1607 by Microsoft

View all CVEs affecting Windows 10 1607 →

Windows 10 1607 by Microsoft

View all CVEs affecting Windows 10 1607 →

Windows 10 1809 by Microsoft

View all CVEs affecting Windows 10 1809 →

Windows 10 1809 by Microsoft

View all CVEs affecting Windows 10 1809 →

Windows 10 21h2 by Microsoft

View all CVEs affecting Windows 10 21h2 →

Windows 10 22h2 by Microsoft

View all CVEs affecting Windows 10 22h2 →

Windows 11 22h2 by Microsoft

View all CVEs affecting Windows 11 22h2 →

Windows 11 23h2 by Microsoft

View all CVEs affecting Windows 11 23h2 →

Windows 11 24h2 by Microsoft

View all CVEs affecting Windows 11 24h2 →

Windows 11 24h2 by Microsoft

View all CVEs affecting Windows 11 24h2 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

Windows Server 2022 23h2 by Microsoft

View all CVEs affecting Windows Server 2022 23h2 →

Windows Server 2025 by Microsoft

View all CVEs affecting Windows Server 2025 →

Windows Server 2025 by Microsoft

View all CVEs affecting Windows Server 2025 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, lateral movement within the network, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to system compromise, credential harvesting, and initial access for further attacks.

🟢

If Mitigated

Limited impact with proper network segmentation and endpoint protection, potentially resulting in service disruption rather than full compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Network-based exploitation without authentication. Attack complexity may vary based on specific conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update for specific KB number

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24056

Restart Required: Yes

Instructions:

1. Apply the latest Windows security update from Microsoft. 2. Restart affected systems. 3. Verify the patch is installed successfully.

🔧 Temporary Workarounds

Disable Telephony Server Service

Windows

Disable the vulnerable Telephony Server service if not required for business operations

sc stop TapiSrv
sc config TapiSrv start= disabled

Network Segmentation

Windows

Restrict network access to Telephony Server ports using firewall rules

New-NetFirewallRule -DisplayName "Block Telephony Server" -Direction Inbound -Protocol TCP -LocalPort 5060,5061 -Action Block

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate vulnerable systems
  • Deploy endpoint detection and response (EDR) solutions with behavioral monitoring

🔍 How to Verify

Check if Vulnerable:

Check if Telephony Server service is running and if system has unpatched Windows version

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history contains the relevant security patch and Telephony Server service is either patched or disabled

📡 Detection & Monitoring

Log Indicators:

  • Unusual Telephony Server service restarts
  • Failed authentication attempts to Telephony Server
  • Process creation from Telephony Server context

Network Indicators:

  • Unusual network traffic to Telephony Server ports (typically 5060/5061)
  • Suspicious RPC calls to Telephony Server

SIEM Query:

EventID=4688 AND NewProcessName="*\TapiSrv.exe" AND CommandLine CONTAINS "suspicious"

📊 Metadata

CVE ID: CVE-2025-24056
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-122
EPSS Score: 0.38% exploit probability (58.6th percentile)
Published: March 11, 2025
Last Updated: July 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24056, you might also want to check these:

CVE-2021-21940 10.0

A heap-based buffer overflow vulnerability in Anker Eufy Homebase 2's RTSP handling allows remote co...

Same vulnerability type (CWE-122)
CVE-2023-45318 10.0

This critical vulnerability allows remote attackers to execute arbitrary code on systems running Wes...

Same vulnerability type (CWE-122)
CVE-2025-23123 10.0

A heap buffer overflow vulnerability in UniFi Protect Camera firmware allows remote code execution. ...

Same vulnerability type (CWE-122)