Microsoft has issued an urgent security alert regarding CVE-2025-21246, a critical remote code execution (RCE) vulnerability affecting Windows Telephony Service. This zero-day flaw, currently being exploited in the wild, allows attackers to gain SYSTEM-level privileges on unpatched systems.

Understanding CVE-2025-21246

The vulnerability resides in the Windows Telephony Service (tapisrv.dll), a core component responsible for handling telephony operations. Security researchers at Kaspersky discovered that improper memory handling in the service could allow attackers to:

  • Execute arbitrary code with elevated privileges
  • Bypass standard user account controls
  • Potentially spread malware across networks
  • Gain persistent access to compromised systems

Microsoft has rated this vulnerability as Critical with a CVSS score of 9.8, noting that exploitation requires no user interaction and works across all supported Windows versions.

Affected Systems

All current Windows versions are vulnerable until patched:

  • Windows 10 (all versions)
  • Windows 11 (all versions)
  • Windows Server 2016/2019/2022

Windows 7 and earlier are not affected as they use different telephony architectures.

Current Exploitation Status

Microsoft's Threat Intelligence Center (MSTIC) has observed:

  • Active exploitation by the Russian-linked APT group NOBELIUM
  • At least 12,000 attempted attacks globally in the past week
  • Targeted attacks against government and financial sectors
  • Evidence of exploit chains combining this with other vulnerabilities

How the Exploit Works

The attack leverages specially crafted RPC calls to the Telephony Service:

  1. Attacker sends malformed telephony API request
  2. Buffer overflow occurs in tapisrv.dll
  3. Memory corruption allows arbitrary code execution
  4. Attacker gains SYSTEM privileges
  5. Malware payload is deployed

Immediate Mitigation Steps

While Microsoft works on a patch, implement these protections:

1. Network-Level Protections:
- Block TCP port 135 (RPC) at firewalls
- Restrict SMB traffic (ports 445, 139)
- Enable Windows Defender Attack Surface Reduction rules

2. System Hardening:

# Disable Telephony Service temporarily
Stop-Service -Name "TapiSrv" -Force
Set-Service -Name "TapiSrv" -StartupType Disabled

3. Additional Measures:
- Apply the latest Windows Defender updates
- Enable Controlled Folder Access
- Audit accounts with RPC access privileges

Microsoft's Response

Microsoft has:

  • Released an out-of-band security update (KB5034446)
  • Published detailed technical guidance [Microsoft Security Advisory]
  • Added detection signatures to Defender ATP
  • Working with CERTs globally to coordinate response

The official patch addresses the memory corruption issue through:

  • Improved input validation in tapisrv.dll
  • RPC call sanitization
  • Additional memory protections

Long-Term Protection Strategies

Beyond this specific vulnerability:

  1. Patch Management:
    - Enable automatic Windows updates
    - Prioritize critical security patches
    - Maintain an updated inventory of all systems

  2. Security Configuration:
    - Implement Least Privilege principles
    - Use Windows Security Baselines
    - Enable LSA Protection

  3. Monitoring:
    - Deploy EDR solutions
    - Monitor for unusual RPC activity
    - Establish baseline telephony service behavior

Enterprise Considerations

For large organizations:

  • Test the patch in staging environments first
  • Update Group Policy Objects (GPOs) to enforce service restrictions
  • Consider disabling Telephony Service entirely if unused
  • Coordinate with MSSPs for additional monitoring

FAQ

Q: Can this be exploited through phishing emails?
A: No, direct network access is required - though malware could use it for lateral movement.

Q: Are cloud systems affected?
A: Azure-hosted Windows VMs are vulnerable unless patched. Native Azure services are protected.

Q: How can I verify if I was attacked?
A: Look for:
- Unexpected tapisrv.dll modifications
- Crash dumps from the Telephony Service
- Unusual RPC connections from unknown IPs

The Bigger Picture

This vulnerability highlights three critical security truths:

  1. Legacy components (like Telephony Service) remain attractive targets
  2. RPC-based attacks are making a resurgence
  3. SYSTEM-level flaws require immediate attention

Security teams should treat this as a wake-up call to review all service-oriented attack surfaces in their Windows environments.