CVE-2025-27477

Q: What is the severity of CVE-2025-27477?

CVE-2025-27477 has a CVSS score of 8.8 (HIGH). A heap-based buffer overflow vulnerability in Windows Telephony Service allows remote attackers to execute arbitrary code without authentication. This affects Windows systems with the Telephony Service enabled, potentially allowing complete system compromise. Network-accessible systems are particularly vulnerable.

8.8 HIGH

Remote Code Execution Buffer Overflow

📋 TL;DR

A heap-based buffer overflow vulnerability in Windows Telephony Service allows remote attackers to execute arbitrary code without authentication. This affects Windows systems with the Telephony Service enabled, potentially allowing complete system compromise. Network-accessible systems are particularly vulnerable.

💻 Affected Systems

Products:

Windows Telephony Service

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with Telephony Service disabled or blocked by firewall are less vulnerable. Server Core installations may be unaffected if Telephony Service is not installed.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, enabling data theft, ransomware deployment, or persistent backdoor installation across the network.

🟠

Likely Case

Remote code execution leading to malware installation, credential harvesting, and lateral movement within the network environment.

🟢

If Mitigated

Limited impact with proper network segmentation and endpoint protection, potentially reduced to denial of service or failed exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access to the Telephony Service port (typically TCP 1720 or 1723). The vulnerability is in a core Windows service, making reliable exploitation challenging but possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27477

Restart Required: Yes

Instructions:

1. Apply the latest Windows security updates from Microsoft Update. 2. Restart the system to complete installation. 3. Verify the patch is applied using Windows Update history.

🔧 Temporary Workarounds

Disable Windows Telephony Service

windows

Stops the vulnerable service from running

sc stop TapiSrv
sc config TapiSrv start= disabled

Block Telephony Service Ports

windows

Prevents network access to the vulnerable service

netsh advfirewall firewall add rule name="Block Telephony" dir=in action=block protocol=TCP localport=1720,1723

🧯 If You Can't Patch

Implement strict network segmentation to isolate systems running Telephony Service
Deploy endpoint detection and response (EDR) solutions to detect exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if Telephony Service is running: sc query TapiSrv

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history contains the relevant security update KB number

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from TapiSrv.exe
Crash logs related to telephony service
Windows Event ID 1000 application crashes

Network Indicators:

Unusual traffic to TCP ports 1720/1723 from unexpected sources
Multiple connection attempts to Telephony Service

SIEM Query:

source="windows" AND (process_name="TapiSrv.exe" AND (event_id=1000 OR parent_process="*"))

📊 Metadata

CVE ID: CVE-2025-27477

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 2.36% exploit probability (84.6th percentile)

Published: April 8, 2025

Last Updated: July 8, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27477 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Windows Telephony Service

Block Telephony Service Ports

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities