Critical

GDI+ Remote Code Execution Vulnerability

IdentifiersCVE-2025-60724CWE-122· Heap-based Buffer Overflow

CVE-2025-60724 is a critical remote code execution vulnerability in Microsoft Graphics Component (GDI+), associated with gdiplus.dll. The flaw is described as a heap-based buffer overflow triggered while processing specially crafted graphics content, including metafiles embedded in documents. Multiple sources in the provided content characterize the vulnerable condition as occurring in GDI+ memory allocation/copying routines during parsing of complex graphics payloads. Successful exploitation can occur when a target opens a malicious document containing a crafted metafile, and the content also indicates exposure through server-side document processing workflows or web services that accept and parse uploaded documents. Microsoft and referenced reporting describe the issue as allowing an unauthorized attacker to execute code over a network, with a CVSS 3.1 score of 9.8.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to arbitrary code execution in the context of the process or service invoking GDI+. In client-side scenarios, this means code execution when a user opens a malicious file. In server-side scenarios described in the content, exploitation through document-upload or graphics-processing services could result in remote code execution without prior privileges, and may also expose information disclosure outcomes. Where the vulnerable service runs with elevated rights, including cases noted in the content such as SYSTEM-level services, compromise could result in full administrative control of the affected host.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting or disabling workflows that automatically parse untrusted image-bearing documents or metafiles, especially in internet-facing or externally accessible web services that accept document uploads. Restrict upload and rendering paths for untrusted files, enforce content validation and sandboxing for document/image processing, and minimize exposure of services that may invoke GDI+ on attacker-supplied content. User-focused mitigations include preventing users from opening untrusted documents and attachments until patches are deployed. No specific vendor workaround beyond patching is clearly provided in the content.

Remediation

Patch, then assume compromise.

Apply Microsoft's November 2025 security updates for CVE-2025-60724 across affected Windows and Microsoft Office platforms. The provided content explicitly recommends upgrading to the latest fixed versions and following organizational patching and testing procedures. The content also references Microsoft update articles/KBs for affected Windows client and server releases and notes that Office for Mac and Office for Android are affected as well. Use the MSRC advisory for product-specific update guidance.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft Corporation365 Copilotapplication

Microsoft CorporationOfficeapplication

Microsoft CorporationOffice Long Term Servicing Channelapplication

Microsoft CorporationOffice Macos 2021application

Microsoft CorporationOffice Macos 2024application

Microsoft CorporationWindows 10 1607operating_system

Microsoft CorporationWindows 10 1809operating_system

Microsoft CorporationWindows 10 21h2operating_system

Microsoft CorporationWindows 10 22h2operating_system

Microsoft CorporationWindows 11 23h2operating_system

Microsoft CorporationWindows 11 24h2operating_system

Microsoft CorporationWindows 11 25h2operating_system

Microsoft CorporationWindows Server 2008operating_system

Microsoft CorporationWindows Server 2008 R2operating_system

Microsoft CorporationWindows Server 2008 Sp2operating_system

Microsoft CorporationWindows Server 2012operating_system

Microsoft CorporationWindows Server 2012 R2operating_system

Microsoft CorporationWindows Server 2016operating_system

Microsoft CorporationWindows Server 2019operating_system

Microsoft CorporationWindows Server 2022operating_system

Microsoft CorporationWindows Server 2022 23h2operating_system

Microsoft CorporationWindows Server 2025operating_system

Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

24 SOURCESView more in app

expel blogNews

Jan 14, 2026

Patch Tuesday: January 2026 (Expel’s version) | Expel

A remote code execution vulnerability in GDI+.

bank info securityNews

Nov 13, 2025

Breach Roundup: UK Probes Chinese-Made Electric Buses

A heap-based buffer overflow vulnerability in GDI+ that enables remote code execution over networks.

govinfosecurityNews

Nov 13, 2025

Breach Roundup: UK Probes Chinese-Made Electric Buses

A heap-based buffer overflow vulnerability in GDI+ that enables remote code execution over networks.

outpost24 blogNews

Nov 12, 2025

Microsoft Patch Tuesday – November 2025

A heap-based buffer overflow in Windows GDI+ that can lead to arbitrary code execution when a user opens a malicious file.

+7 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity13

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-60724

NVD

nvd.nist.gov/vuln/detail/CVE-2025-60724

MITRE CWE · CWE-122

Heap-based Buffer Overflow

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60724