Microsoft has identified a critical remote code execution vulnerability affecting multiple products that requires immediate attention and patching.
Microsoft has issued a security advisory for a critical vulnerability affecting multiple products. The vulnerability, tracked as CVE-2026-42897, poses significant risk to organizations and requires immediate action.
Affected Products:
- Windows 10 (versions 1903-22H2)
- Windows 11 (all versions)
- Microsoft Office 2019 and 2021
- Microsoft 365 Apps
- Microsoft Server 2022 and 2019
- Azure Active Directory
The vulnerability is a remote code execution flaw in the Microsoft Graphics Component. An attacker who successfully exploited the vulnerability could run arbitrary code with system privileges.
CVSS Score: 9.8 (Critical)
Exploitation has been observed in the wild. Microsoft has released security updates to address this vulnerability.
Mitigation Steps:
- Apply security updates immediately
- Enable automatic updating on all systems
- Review firewall rules to block unnecessary traffic
- Implement network segmentation to limit potential spread
- Deploy exploit protection measures
Timeline:
- Vulnerability discovered: November 2025
- Security updates released: January 2026 Patch Tuesday
- Exploitation observed: December 2025
- Next scheduled security bulletin: February 2026
For more information, visit the Microsoft Security Response Center and review the official security advisory.
Organizations should prioritize patching systems exposed to the internet and those handling sensitive data. The vulnerability can be exploited without user interaction, making it particularly dangerous.
Microsoft recommends customers apply these updates as soon as possible to protect their systems from potential attacks.
Comments
Please log in or register to join the discussion