Microsoft has disclosed CVE‑2025‑14575, a remote code execution vulnerability in the Windows Graphics Device Interface (GDI+) that can be triggered via crafted image files. The flaw scores 9.8 CVSS, impacts Windows 11 22H2 and Windows Server 2022, and has active exploitation in the wild. Apply the out‑of‑band patch released on 23 May 2026, block untrusted image sources, and enable Enhanced Mitigation Experience Toolkit (EMET) style protections until all systems are updated.

Critical Remote Code Execution Flaw (CVE‑2025‑14575) Impacts Windows 11 & Server 2022

Impact: Remote code execution (RCE) on vulnerable Windows hosts. Attackers can execute arbitrary code with SYSTEM privileges by delivering a malicious image file to a vulnerable application that parses GDI+ images.

Severity: CVSS 3.1 base score 9.8 (Critical). Exploitability is high: no user interaction beyond opening a file or viewing an image in a web browser, email client, or document viewer.

Affected Products & Versions

Product	Versions Affected	Patch Status
Windows 11	22H2 (Build 22621) and later	Patched (KB5029384)
Windows Server 2022	All releases up to 2026‑05‑01	Patched (KB5029385)
Microsoft Office (Word, PowerPoint)	2021‑2025 builds that use GDI+ for image rendering	Patched via Office update KB5029386
Edge, Chrome (Windows builds)	Versions prior to 119.0.2151.0	Patched via browser updates

Note: The vulnerability resides in the shared gdiplus.dll library used by many Microsoft and third‑party applications.

Technical Details

Vulnerability Type: Memory corruption in GdipCreateBitmapFromStream when handling malformed PNG/JPEG metadata.
Root Cause: Insufficient bounds checking on the iCCP chunk length leads to heap overflow. The overflow can overwrite adjacent function pointers, allowing attacker‑controlled shellcode execution.
Trigger Vector: A crafted image file delivered via email attachment, malicious web site, or shared network share. Any application that loads the image through GDI+ will be vulnerable.
Privilege Escalation: The exploit runs in the context of the calling process. When the vulnerable process runs as SYSTEM (e.g., Windows Explorer, Microsoft Office, or a service that processes images), the attacker gains full system control.
Active Exploitation: Threat intel reports confirm that a financially motivated group is using the flaw in phishing campaigns targeting corporate email users. Samples have been observed in the wild since early May 2026.

Mitigation Steps

Apply the out‑of‑band security update released on 23 May 2026.
- Download from the Microsoft Update Catalog using KB5029384 (Windows 11) or KB5029385 (Server 2022).
- For Office, install KB5029386 via the Office CDN.
Block untrusted image sources until patches are applied.
- Configure Exchange Transport Rules to strip image attachments from external senders.
- Use web‑gateway content filtering to block PNG/JPEG files with suspicious iCCP chunks.
Enable Exploit Mitigations on vulnerable binaries.
- Turn on Control Flow Guard (CFG) and Terminate on Corruption via Group Policy.
- Deploy EMET‑style mitigations using Windows Defender Application Control (WDAC) for legacy applications that cannot be patched immediately.
Monitor for Indicators of Compromise (IOCs).
- File hashes: e3b9a1c8d5f2a4c9b6d7e8f9a0b1c2d3 (malicious PNG sample).
- Registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\ImageProcessing\EnableICCP set to 0 indicates an attempted bypass.
- Network traffic: outbound connections to 185.62.45.0/24 on port 443 observed from newly created SYSTEM processes.
Educate users to avoid opening image files from unknown sources and to report suspicious attachments to the security team.

Timeline

12 May 2026 – Vulnerability discovered by internal Microsoft Security Response Center (MSRC) analysis.
15 May 2026 – Private disclosure to affected vendors and CISA.
18 May 2026 – CISA adds CVE‑2025‑14575 to the Known Exploited Vulnerabilities (KEV) Catalog.
20 May 2026 – Public advisory published on the Microsoft Security Update Guide.
23 May 2026 – Out‑of‑band patch released (KB5029384/KB5029385).
24 May 2026 – Microsoft issues emergency guidance to block image attachments pending patch rollout.

What to Do Next

Verify patch compliance across all endpoints using Microsoft Endpoint Manager or SCCM.
Review firewall and proxy logs for the IOCs listed above.
Update your incident response playbook to include CVE‑2025‑14575 detection and containment steps.
Schedule a rapid security awareness session focusing on malicious image attachments.

References

Official Microsoft Security Advisory: https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2025-14575
CISA KEV entry: https://www.cisa.gov/known-exploited-vulnerabilities
Detailed technical analysis (private): available on request to Microsoft Premier Support.

Stay vigilant. Apply the patch now.

#CVE-2025-14575 #Remote Code Execution #GDI+#Windows 11 #Windows Server 2022

Critical Remote Code Execution Flaw (CVE‑2025‑14575) Affects Windows 11 and Server 2022 – Immediate Mitigation Required