Microsoft has identified a critical remote code execution vulnerability affecting multiple products. Organizations must apply patches immediately to prevent potential attacks.
Microsoft has issued a critical security advisory addressing CVE-2026-3537, a severe vulnerability that could allow attackers to execute arbitrary code on affected systems. The vulnerability affects multiple Microsoft products including Windows operating systems, Microsoft Office, and Azure services.
CVSS 9.8 severity. Exploitation is likely. Immediate action required.
The vulnerability exists in how Microsoft Windows handles specially crafted files. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system.
Microsoft has released security updates to address this vulnerability. Organizations should apply these updates as soon as possible. The updates are available through the Microsoft Update Catalog, Windows Update, and Microsoft Update.
Affected products include:
- Windows 10 (Version 1803 and later)
- Windows 11 (All versions)
- Microsoft Office 2019 and Microsoft 365 Apps
- Azure Stack Hub
- Microsoft Exchange Server
For systems that cannot be immediately updated, Microsoft has provided mitigation steps including disabling certain protocols and implementing network segmentation.
The vulnerability was discovered by security researchers at Redmond Security and responsibly disclosed to Microsoft on November 15, 2025. Microsoft acknowledged the report on November 18, 2025, and began developing a fix. The security updates were released as part of the December 2025 Patch Tuesday.
Organizations should prioritize patching systems that are directly accessible from the internet first. These systems face the highest risk of exploitation.
For detailed information about the vulnerability and the available updates, organizations should consult the Microsoft Security Advisory.
Additional resources:
Comments
Please log in or register to join the discussion