Microsoft addresses critical remote code execution flaw affecting multiple Windows versions. CVSS score 9.8. Update now.
Microsoft has released security updates to address CVE-2025-13462, a critical vulnerability allowing remote code execution on unpatched systems. Attackers could exploit this vulnerability without authentication, potentially gaining complete control over affected systems.
The vulnerability exists in the Windows Graphics Component, specifically in the way the operating system handles specially crafted image files. Successful exploitation could allow an attacker to run arbitrary code in the context of the current user.
Affected products include:
- Windows 10 Version 21H2 and later
- Windows 11 Version 22H2 and later
- Windows Server 2022
- Windows Server 2019
Microsoft has assigned a CVSS score of 9.8 to this vulnerability, indicating critical severity. The vulnerability has been exploited in limited targeted attacks before Microsoft's patch release.
Mitigation steps:
- Install the security updates immediately
- Block untrusted image file types at network boundaries
- Enable Windows Defender Antivirus with real-time protection
- Configure Windows Defender Exploit Guard to mitigate potential exploits
Microsoft released the security updates on Patch Tuesday, June 11, 2025. Organizations should prioritize deployment of these updates to critical systems within 72 hours.
For detailed information about the vulnerability, refer to the Microsoft Security Advisory. The Security Update Guide provides additional context and deployment instructions.
Organizations with systems unable to receive updates should implement the following compensating controls:
- Restrict access to image file types
- Deploy application control policies
- Implement network segmentation
The MSRC (Microsoft Security Response Center) has confirmed that they are not aware of any additional vulnerabilities in the Windows Graphics Component at this time.
Comments
Please log in or register to join the discussion