—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Remote Code Execution Vulnerability in Microsoft Graphics Component 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Windows Server 2016 & 2025

Windows Server 2012,2012 R2, 2016,2019, 2022 & 2025

Windows 10 Version 1607 for x64-based & 32-bit Systems

Windows 10 Version 22H2 for 32-bit & ARM64-based Systems

Windows 11 Version 23H2 for x64-based & ARM64-based Systems

Windows 11 Version 24H2 for x64-based & ARM64-based Systems

Windows 11 Version 25H2 for x64-based & ARM64-based Systems

Windows Server 2012,2012 R2,2016,2019,2022,23H2 Edition & 2025(Server Core installation)

Windows Server 2008 R2 for x64-based Systems SP1 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems SP1 & SP2

Windows Server 2008 for x64-based Systems SP2 (Server Core installation)

Windows Server 2008 for 32-bit Systems SP2 (Server Core installation)

Windows Server 2008 for 32-bit Systems SP2

Windows 10 Version 22H2 for x64-based Systems

Windows 10 Version 21H2 for x64-based,ARM64-based & 32-bit Systems

Windows 10 Version 1809 for x64-based & 32-bit Systems

Microsoft Office LTSC for Mac 2021 & 2024

Microsoft Office for Android

Overview

A remote code execution vulnerability has been reported in Microsoft Graphic Components (GDI+) which could allow an attacker to execute arbitrary code or information disclosure on the targeted system.

Target Audience:

All end-user organizations and individuals using Microsoft Graphic Components across Windows operating systems.

Risk Assessment:

High risk of unauthorized access to sensitive data and potential system compromise.

Impact Assessment:

Remote code execution.

Description

Microsoft Graphics Components are system libraries and frameworks in Windows that manage rendering and display of visual content.

This vulnerability exists in Microsoft Graphic Components due to Heap-based buffer overflow in the affected products. An attacker could exploit this vulnerability by convincing a victim to download and open a document that contains a specially crafted metafile on the targeted system.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code or information disclosure on the targeted system.

Solution

Apply appropriate updates as mentioned in:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-60724

Vendor Information

Microsoft

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-60724

References

Microsoft

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-60724

CVE Name

CVE-2025-60724

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmkZrikACgkQ3jCgcSdc

ys+kxhAAlzwQnwqSYNhK+Hj0TruJEC5IVG3kOTAPP0lpijwTvwvtNZapuASPY4mo

FRXTR9dljgPMbPCyVUZK6QATMLJcLpc/xEOvR7FworbvF/ywZQQMbI77uwgLPL6A

A5oHJKxHAADTZSFE2Te7vGOIYZ7I2l9TKzDe3zGdQhFz8Y7VIxrB3noX0w8wk1yP

6WiuZ690W9UKfVfRXfIM1vIB2jpc/ZTpF5Hf02lzkUEd83i+0mX8FEP6Z4HuDs7t

etqRasmRXF3NbBZ9eP+K5MAOzTcj8i6KOe/xVXG72iKf2Cj1TbLxOpDMeS3UnusR

ePtHaf7L1RdDkqnpnnoyL6XN79PP2LqDZZp2x0WmfPSv1cSpJFZ7IhiOHe59slpv

AApmE/EGh2yBpiQO4xwhD8w878qrKWFFooRlxdBMojbaMlt8pn4iQswxwRertThC

6an2TKVb5YWp3JvuKeqAuUpWpVYQV+RtD8frZDbMRxez8kf/1rtL95lumWgmXLTs

57xECLUI3tw5U1Ch4lMdNGEX92OSxMobnjHtW4ZlkQziJTJvFfwOt6RUVw+kuAOQ

sZHWSHVLz1RZeWftipxKui84+eRQHwQzTjAKLjeNQ2NWHP63SYFTvKcyrIArFFJF

un9AKTjOPiH1uCFau5ZhWCJsiKTF8tFssTbBrMx2Y5ty6zImLuc=

=Pl/5

—–END PGP SIGNATURE—–