CVE-2025-60724: CVE-2025-60724: Remote Code Execution via Heap-based Buffer Overflow in Microsoft GDI+

CVE-2025-60724: Remote Code Execution via Heap-based Buffer Overflow in Microsoft GDI+

Vulnerability ID: CVE-2025-60724
CVSS Score: 9.8
Published: 2025-11-11

CVE-2025-60724 is a critical, unauthenticated remote code execution vulnerability located in the Microsoft Graphics Component (GDI+). The flaw exists within the parsing logic of gdiplus.dll when handling specially crafted graphics objects delivered over network interfaces, specifically Remote Procedure Call (RPC) endpoints. Successful exploitation results in arbitrary code execution with the privileges of the targeted service process.

TL;DR

A critical 9.8 CVSS heap buffer overflow in Windows GDI+ allows unauthenticated attackers to achieve RCE. By sending malformed graphics data over RPC (e.g., targeting Print Spooler), attackers can corrupt heap memory and execute arbitrary code as SYSTEM.

---

Technical Details

• CWE ID: CWE-122
• Attack Vector: Network (RPC)
• CVSS v3.1 Base: 9.8
• EPSS Percentile: 37.28%
• Impact: Remote Code Execution (SYSTEM)
• Exploit Status: Unexploited / PoC Not Public
• KEV Status: Not Listed

Affected Systems

• Windows 11 (22H2, 23H2, 24H2)
• Windows 10 (1607, 1809, 21H2, 22H2)
• Windows Server 2025
• Windows Server 2022
• Windows Server 2019
• Windows Server 2016
• Windows Server 2012 / R2
• Windows Server 2008 / R2
• Microsoft Office for Android
• Microsoft Office LTSC for Mac 2021/2024
• Windows 11: 22H2, 23H2, 24H2 (Fixed in: 10.0.22631.6199 / 10.0.26100.7171)
• Windows 10: 1607, 1809, 21H2, 22H2 (Fixed in: 10.0.14393.8594 / 10.0.19045.6575)
• Windows Server 2025: All (Fixed in: 10.0.26100.7171)
• Windows Server 2022: All (including 23H2) (Fixed in: 10.0.20348.4405 / 10.0.25398.1965)
• Windows Server 2019: All (Fixed in: 10.0.17763.8027)
• Windows Server 2016: All (Fixed in: 10.0.14393.8594)
• Windows Server 2012 / R2: All (Fixed in: 6.2.9200.25768 / 6.3.9600.22869)
• Windows Server 2008 / R2: SP1, SP2 (Fixed in: 6.0.6003.23624 / 6.1.7601.28021)
• Microsoft Office for Android: < 16.0.19426.20044 (Fixed in: 16.0.19426.20044)
• Microsoft Office LTSC for Mac: < 16.103.25110922 (Fixed in: 16.103.25110922)

Mitigation Strategies

• Apply Microsoft November 2025 security updates to all affected operating systems and Office installations.
• Disable the Print Spooler service on systems not explicitly acting as print servers.
• Restrict network access to RPC ports (135, 445, dynamic range) via perimeter and host-based firewalls.
• Enable Protected View in Microsoft Office products to prevent automated rendering of untrusted files.

Remediation Steps:

1. Inventory all Windows endpoints and servers to determine OS build versions.
2. Deploy the appropriate November 2025 Cumulative Update (e.g., KB for 10.0.26100.7171 for Windows Server 2025).
3. Verify successful installation by checking the file version of gdiplus.dll located in C:\Windows\System32.
4. Execute an enterprise-wide Group Policy Object (GPO) to disable the 'Print Spooler' service on Domain Controllers and non-print infrastructure.
5. Update EDR policies to monitor spoolsv.exe for unexpected crash events or unusual child process creation.

References

• Microsoft Security Advisory - CVE-2025-60724
• NVD - CVE-2025-60724 Detail
• CVE.org Record
• Qualys - November 2025 Patch Tuesday Review
• Tenable - Microsoft Patch Tuesday Analysis
• Rapid7 - Patch Tuesday November 2025 Summary
• CrowdStrike - November 2025 Analysis

---

Read the full report for CVE-2025-60724 on our website for more details including interactive diagrams and full exploit analysis.