CVE-2025-60724: Remote Code Execution via Heap-based Buffer Overflow in Microsoft GDI+

The Microsoft Graphics Component (GDI+) operates as a core subsystem within the Windows operating system architecture. It is responsible for rendering two-dimensional vector graphics, handling image file formats, and managing typography. The primary library, gdiplus.dll, is heavily utilized across core OS components, the Microsoft Office suite, and numerous third-party applications.

CVE-2025-60724 exposes a critical, unauthenticated remote code execution vulnerability within this subsystem. Holding a CVSS 3.1 base score of 9.8, the flaw is classified as a CWE-122: Heap-based Buffer Overflow. The vulnerability specifically resides within the memory allocation and copying routines invoked during the processing of complex graphics payloads.

While GDI+ is traditionally viewed as a local rendering component, the attack surface extends across the network via Remote Procedure Call (RPC) interfaces. System services that process graphics metadata over the network, most notably the Windows Print Spooler (spoolsv.exe), act as direct conduits. These services accept unauthenticated network requests and pass the embedded graphics objects directly to gdiplus.dll for parsing.

Successful exploitation yields arbitrary code execution within the context of the vulnerable service process. Because services like the Print Spooler run under the NT AUTHORITY\SYSTEM account by default, an attacker achieving code execution immediately gains full administrative control over the targeted endpoint.

The root cause of CVE-2025-60724 is a failure to properly validate record size fields when parsing Enhanced Metafile (EMF) and Windows Metafile (WMF) structures. These legacy graphics formats consist of sequential, variable-length records. Each record begins with a standardized header that includes a size identifier, which instructs the parser on how much memory must be allocated to store the record's data.

When gdiplus.dll processes these records, it extracts the 32-bit size field directly from the user-supplied input. The library utilizes this value to calculate the required heap allocation size. However, the calculation logic lacks strict boundary enforcement and fails to account for potential integer truncation or arithmetic wrap conditions when abnormally large size values are supplied.

An attacker controls the size identifier within a crafted metafile. By supplying an artificially large value, the mathematical operations preceding the allocation function wrap around to a small integer. The internal memory allocator reserves a small heap chunk based on this wrapped value.

Following the allocation, the parsing routine proceeds to copy the record data into the newly allocated heap chunk. Crucially, the copy operation (often memcpy or RtlCopyMemory) utilizes the original, unvalidated large size value rather than the wrapped allocation size. This mismatch results in a massive out-of-bounds write, corrupting adjacent heap structures and laying the groundwork for control flow hijacking.

Analysis of the gdiplus.dll binary prior to the November 2025 security update reveals the structural flaw within the metafile record processing functions. The vulnerable implementation reads the user-supplied record size and proceeds directly to memory allocation and copying without verifying that the size is within logical bounds for a graphics record.

The reconstructed logic below demonstrates the vulnerable pattern. The RecordSize is extracted and used to dictate both the allocation size and the subsequent memory copy operation. If recordSize is manipulated to cause an integer overflow during an internal offset calculation, GdipAlloc returns a smaller-than-expected buffer, leading to the overflow during RtlCopyMemory.

// Reconstructed Vulnerable Logic in gdiplus.dll
DWORD recordSize = metafileRecord->Size;
 
// No validation is performed on recordSize before allocation
void* buffer = GdipAlloc(recordSize);
 
// If GdipAlloc allocated a smaller buffer due to internal wrapping,
// this copy operation will write past the bounds of the heap chunk.
RtlCopyMemory(buffer, metafileRecord->Data, recordSize);

The patched version of gdiplus.dll introduces strict boundary constraints and safe integer arithmetic prior to invoking the memory allocator. The Microsoft update modifies the parsing loop to explicitly validate that the recordSize falls within an acceptable minimum and maximum range. It also ensures that adding internal header offsets to the recordSize does not trigger an integer overflow.

// Reconstructed Patched Logic in gdiplus.dll
DWORD recordSize = metafileRecord->Size;
DWORD maxRecordSize = MAX_ALLOWED_RECORD_SIZE;
 
// Strict bounds validation added prior to memory operations
if (recordSize < MIN_RECORD_SIZE || recordSize > maxRecordSize) {
    return Status::InvalidParameter;
}
 
void* buffer = GdipAlloc(recordSize);
if (buffer == NULL) {
    return Status::OutOfMemory;
}
 
RtlCopyMemory(buffer, metafileRecord->Data, recordSize);

Exploitation of CVE-2025-60724 requires network access to a target host running a vulnerable RPC endpoint. The most reliable attack vector is the Windows Print Spooler service, which is enabled by default on standard Windows Desktop and Server installations. The attacker does not need credentials or prior authentication to initiate the exploit sequence.

The attacker begins by establishing a connection to the RPC endpoint over TCP port 135 or 445, utilizing the Print System Remote Protocol (MS-RPRN) or the Print System Asynchronous Remote Protocol (MS-PAR). The attacker constructs an RPC request that includes a maliciously crafted EMF payload. This payload contains the specific metafile records engineered with the oversized size identifiers necessary to trigger the integer wrap and subsequent heap overflow.

Reliable exploitation requires precise heap manipulation (heap grooming) within the spoolsv.exe process space. The attacker sends a series of benign RPC requests prior to the exploit payload. These preliminary requests allocate specific object sizes in memory, strategically placing target structures adjacent to the anticipated location of the vulnerable heap chunk.

Upon delivery of the final malformed EMF payload, gdiplus.dll performs the out-of-bounds write. The corrupted data overwrites a previously groomed object virtual method table (vtable) or a function pointer residing in the adjacent heap chunk. When the service subsequently attempts to interact with the corrupted object, the CPU instruction pointer is redirected to attacker-controlled shellcode, initiating the secondary execution phase.

The immediate impact of successful exploitation is arbitrary code execution under the security context of the vulnerable process. When targeting the Windows Print Spooler (spoolsv.exe), the attacker code executes as NT AUTHORITY\SYSTEM. This privilege level provides complete, unrestricted access to the local operating system, allowing the attacker to bypass file system ACLs, install persistent mechanisms, and disable endpoint detection agents.

The network-wide consequences of this vulnerability are severe. A compromised host serves as an optimal pivot point for lateral movement within an Active Directory infrastructure. If the compromised host is an infrastructure server or a Domain Controller, the attacker instantly gains domain dominance. This access facilitates bulk credential extraction, Kerberos ticket manipulation, and the deployment of network-wide ransomware.

The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H accurately reflects the high severity of the flaw. The lack of required user interaction and the absence of authentication prerequisites make this vulnerability a prime target for automated exploitation and wormable malware. The bug bypasses traditional perimeter defenses if internal network segmentation is insufficient.

While the current EPSS score is 0.00166, this metric measures observed exploitation in the wild rather than inherent technical risk. Due to the wide deployment of gdiplus.dll across all supported Windows Desktop, Windows Server, and Microsoft Office versions, the attack surface is vast. Security teams must assume that weaponized exploit code will be developed and integrated into exploit kits shortly after disclosure.

The definitive remediation for CVE-2025-60724 is the deployment of the November 2025 Microsoft Security Updates. System administrators must prioritize patching across all Windows desktop and server environments. These updates contain the patched gdiplus.dll binary, which implements the necessary mathematical bounds checking and integer overflow protections during metafile parsing.

Specific patched build numbers vary by operating system version. For Windows Server 2022, administrators must verify the installation of build 10.0.20348.4405 or 10.0.25398.1965. Windows 11 systems require build 10.0.22631.6199 or 10.0.26100.7171. Patching priority should be directed toward Internet-facing assets, Domain Controllers, and servers hosting critical RPC services.

Organizations unable to immediately apply the security updates should implement emergency mitigation strategies. Disabling the Windows Print Spooler service on servers that do not require printing functionality completely eliminates the most accessible unauthenticated network vector. This is achievable via Group Policy or local service management configurations.

Network administrators should strictly enforce segmentation policies. Access to RPC endpoints, specifically TCP ports 135, 445, and the dynamic RPC port range, must be restricted to trusted management subnets using host-based firewalls or network access control lists. Endpoint Detection and Response (EDR) rules should be tuned to alert on unexpected crashes or anomalous child processes spawning from spoolsv.exe and svchost.exe.