Zscaler ThwartLabz uncovered **CVE-2025-50165**, a critical **Remote Code Execution (RCE)** vulnerability in the **Windows Graphics Component** (CVSS 9.8), affecting **windowscodecs.dll**—a core library used by applications like **Microsoft Office**. The flaw allows attackers to embed malicious JPEG images in documents, triggering arbitrary code execution when opened, requiring **minimal user interaction**. Exploitation leverages **uninitialized memory pointer dereference** and **heap spraying with ROP**, bypassing **Control Flow Guard (CFG)** in 32-bit systems by default. While the 64-bit version demands additional bypass techniques, both architectures remain vulnerable.The vulnerability impacts **Windows 11 24H2 (x64/ARM64), Windows Server 2025, and Server Core installations**, exposing **millions of systems** to potential **full system compromise**, including **data theft, lateral movement, or ransomware deployment**. Microsoft released an emergency patch (build **10.0.26100.4946**), but unpatched systems face **immediate risk** of mass exploitation due to the **low attack complexity** and **widespread use of Office/Windows**. Organizations failing to patch within **48 hours** risk **large-scale breaches**, operational disruption, or **supply-chain attacks** via weaponized documents.
Source: https://cyberpress.org/windows-graphics-vulnerability/
Microsoft cybersecurity rating report: https://www.rankiteo.com/company/microsoft
"id": "MIC1133111112125",
"linkid": "microsoft",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'All users of Windows 11 Version '
'24H2, Windows Server 2025, and '
'Server Core installations',
'industry': 'Technology',
'location': 'Global',
'name': 'Microsoft',
'size': 'Large',
'type': 'Corporation'}],
'attack_vector': ['Malicious JPEG Image',
'Weaponized Document',
'Heap Spraying + Return-Oriented Programming (ROP)'],
'customer_advisories': 'Users advised to update Windows immediately to '
'prevent potential system compromise via malicious '
'images/documents.',
'date_publicly_disclosed': '2025-08-12',
'date_resolved': '2025-08-12',
'description': 'Zscaler ThreatLabz discovered CVE-2025-50165, a critical '
'remote code execution (RCE) vulnerability affecting the '
'Windows Graphics Component with a CVSS score of 9.8. The flaw '
'exists within windowscodecs.dll, a library used by numerous '
'applications, including Microsoft Office, creating a '
'widespread attack surface. Attackers can craft malicious JPEG '
'images that, when processed by any application using '
'windowscodecs.dll, trigger arbitrary code execution with '
'minimal user interaction (e.g., opening a weaponized '
'document). The vulnerability impacts Windows 11 Version 24H2, '
'Windows Server 2025, and Server Core installations. Microsoft '
'released a patch on August 12, 2025, updating affected '
'versions to build 10.0.26100.4946.',
'impact': {'brand_reputation_impact': 'High (Critical vulnerability with '
'widespread media coverage)',
'operational_impact': 'High (Potential full system compromise via '
'arbitrary code execution)',
'systems_affected': ['Windows 11 Version 24H2 (x64)',
'Windows 11 Version 24H2 (ARM64)',
'Windows Server 2025',
'Windows Server 2025 (Server Core)']},
'initial_access_broker': {'entry_point': ['Malicious JPEG image in weaponized '
'document']},
'investigation_status': 'Resolved (Patch released; no active exploitation '
'reported)',
'lessons_learned': 'Critical vulnerabilities in core system components (e.g., '
'windowscodecs.dll) require accelerated patch management '
'due to their broad attack surface. Default security '
'mechanisms (e.g., CFG) may not be enabled in all '
'architectures (32-bit vs. 64-bit), increasing '
'exploitation risk. Proactive fuzzing and third-party '
'research (e.g., Zscaler) play a key role in identifying '
'high-severity flaws before widespread exploitation.',
'post_incident_analysis': {'corrective_actions': ['Microsoft released patch '
'(build 10.0.26100.4946) to '
'address the memory '
'corruption issue.',
'Security bulletin issued '
'with CVSS 9.8 severity '
'rating to emphasize '
'urgency.',
'Recommendations provided '
'for enabling CFG and '
'network segmentation.'],
'root_causes': ['Uninitialized memory pointer '
'dereference in '
'GpReadOnlyMemoryStream::InitFile '
'(windowscodecs.dll).',
'Lack of Control Flow Guard (CFG) '
'protection in 32-bit versions of '
'windowscodecs.dll.',
'Widespread dependency on '
'vulnerable library across '
'Microsoft Office and other '
'applications.']},
'recommendations': ['Apply Microsoft patch (build 10.0.26100.4946) '
'immediately across all affected systems.',
'Prioritize patching for systems processing untrusted '
'images/documents (e.g., email servers, shared drives).',
'Enable Control Flow Guard (CFG) where possible to '
'mitigate ROP-based exploits.',
'Monitor for suspicious activity involving JPEG/image '
'processing workflows.',
'Educate users on risks of opening untrusted '
'documents/emails.',
'Segment networks to limit lateral movement '
'post-exploitation.'],
'references': [{'source': 'Zscaler ThreatLabz Research'},
{'source': 'Microsoft Security Update Guide (August 2025)'}],
'response': {'communication_strategy': ['Public advisory via Microsoft '
'Security Update Guide',
'Urgent recommendation for 48-hour '
'patch deployment'],
'containment_measures': ['Patch deployment (build '
'10.0.26100.4946)'],
'remediation_measures': ['Immediate patching of all affected '
'Windows systems',
'Prioritization of Windows '
'infrastructure updates'],
'third_party_assistance': ['Zscaler ThreatLabz (Discovery)']},
'stakeholder_advisories': 'Microsoft urged all organizations to treat this as '
'a critical priority and verify patch deployment '
'within 48 hours.',
'title': 'Critical Remote Code Execution Vulnerability in Windows Graphics '
'Component (CVE-2025-50165)',
'type': ['Vulnerability', 'Remote Code Execution (RCE)'],
'vulnerability_exploited': 'CVE-2025-50165 (Uninitialized Memory Pointer '
'Dereference in GpReadOnlyMemoryStream::InitFile)'}