India’s Computer Emergency Response Team (CERT-In) has issued a high-severity alert for a remote code execution vulnerability affecting Microsoft Graphics Components (GDI+). The flaw, tracked as CVE-2025-60724, impacts a wide range of Windows versions, including Windows 10, Windows 11, Windows Server editions from 2008 to 2025, and Microsoft Office on Mac and Android. The agency warns that the vulnerability could allow attackers to execute arbitrary code or access sensitive information on targeted systems.
Affected platforms
According to the advisory, the vulnerability spans several generations of Windows, beginning with Windows Server 2008 and extending to the latest Windows 11 and Server 2025 builds. Both 32-bit and 64-bit systems are affected. Microsoft Office LTSC for Mac (2021 and 2024) and Microsoft Office for Android are also listed as impacted products.
CERT-In notes that all end-user organisations and individuals using Microsoft’s graphics rendering components may be exposed to the risk.
Nature of the vulnerability
CERT-In explains that the flaw stems from a heap-based buffer overflow in Microsoft Graphics Components. An attacker can exploit the issue by persuading a user to download and open a document containing a specially crafted metafile. When processed, the malicious file could trigger the overflow and enable remote execution of harmful code.
Successful exploitation may lead to unauthorised access, potential data exposure or complete compromise of the affected system. The agency classifies the risk level as high, urging immediate attention from organisations and users.
Security impact and risks
The primary impact is remote code execution, which could allow attackers to take control of a device, manipulate data or expand access within an organisation’s network. CERT-In highlights the possibility of information disclosure as an additional threat.
Given the widespread use of Windows graphics processing libraries across consumer and enterprise environments, the vulnerability poses a significant security concern if left unpatched.
Update and mitigation
CERT-In recommends that users and administrators apply the patches released by Microsoft. The security updates addressing CVE-2025-60724 are available through Microsoft’s update guide.
Official link: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-60724
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
