India’s Computer Emergency Response Team (CERT-In) has issued a warning about a serious security vulnerability affecting Microsoft Windows systems. This flaw, identified as CVE-2025-60724, permits remote code execution in Microsoft Graphics Components (GDI+), impacting numerous Windows versions, including Windows 10, Windows 11, various Windows Server editions, and Microsoft Office for both Mac and Android platforms. The issue enables attackers to leverage specially crafted metafiles to execute malicious code on targeted systems.
Affected Platforms
The vulnerability is not confined to recent releases; it encompasses a broad range from Windows Server 2008 up to the latest Windows 11 and Server 2025 builds. Additionally, Microsoft Office LTSC for Mac (2021 and 2024) and Microsoft Office for Android are affected.
Nature of the Vulnerability
This security flaw arises from a heap-based buffer overflow within the Microsoft Graphics Components. Attackers can exploit this flaw by tricking users into downloading documents with harmful metafiles, potentially leading to unauthorized code execution.
Security Impact and Risks
The primary risk associated with the vulnerability is that it could allow attackers to gain control of affected devices, manipulate data, or even spread their access within an organization’s network. Furthermore, there’s a significant risk of sensitive data exposure if the vulnerability remains unaddressed.
Update and Mitigation
CERT-In has urged users and system administrators to promptly apply the patches released by Microsoft to mitigate this risk. These security updates can be found in Microsoft’s update guide, which users are strongly advised to check regularly.
For further details on this vulnerability, users can refer to the official Microsoft update guide: Microsoft Security Update Guide.