CVE-2025-60724

Critical

Published: 11 November 2025

Published

11 November 2025

Modified

17 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 37.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires organizations to identify, report, and correct flaws like this heap-based buffer overflow through timely application of vendor patches from Microsoft.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms such as ASLR, DEP, and heap cookies that directly mitigate exploitation of heap buffer overflows for arbitrary code execution.

SI-10 Information Input Validation partial match

prevent

Mandates validation of inputs to the Microsoft Graphics Component to detect and reject malformed data that could trigger the buffer overflow over the network.

Security SummaryAI

CVE-2025-60724 is a heap-based buffer overflow vulnerability, classified under CWE-122, affecting the Microsoft Graphics Component. Published on 2025-11-11T18:15:41.060, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

The vulnerability enables an unauthorized attacker to execute arbitrary code over a network. Exploitation requires low complexity, no user privileges, no user interaction, and network access, allowing remote attackers to achieve high-impact effects on confidentiality, integrity, and availability, such as full system compromise.

Mitigation details are available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60724.

Details

CWE(s): CWE-122

Affected Products

microsoft

office

≤ 16.0.19426.20044

microsoft

office long term servicing channel

2021, 2024

microsoft

windows 10 1607

≤ 10.0.14393.8594 · ≤ 10.0.14393.8594

microsoft

windows 10 1809

≤ 10.0.17763.8027 · ≤ 10.0.17763.8027

microsoft

windows 10 21h2

≤ 10.0.19044.6575

microsoft

windows 10 22h2

≤ 10.0.19045.6575

microsoft

windows 11 23h2

≤ 10.0.22631.6199

microsoft

windows 11 24h2

≤ 10.0.26100.7092

microsoft

windows 11 25h2

≤ 10.0.26200.7092

microsoft

windows server 2008

all versions, r2

+6 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a critical remote code execution (RCE) in the Microsoft Graphics Component with AV:N/AC:L/PR:N/UI:N, directly enabling exploitation of a public-facing application over the network.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60724
Vendor Advisory · secure@microsoft.com