PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-60724 Microsoft CVE debrief

CVE-2025-60724 is a critical remote code execution issue in Microsoft Graphics Component. The supplied Microsoft/NVD record describes a heap-based buffer overflow (CWE-122) that can let an unauthorized attacker execute code over the network. NVD rates the flaw CVSS 9.8 with AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which is the strongest signal here for urgent patching. The NVD record also links to the Microsoft Security Response Center advisory, and the affected scope in the record spans multiple Microsoft Windows, Windows Server, Office LTSC, macOS, and Android product/version entries.

Vendor
Microsoft
Product
Microsoft Office for Android
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2025-11-11
Original CVE updated
2025-11-17
Advisory published
2025-11-11
Advisory updated
2025-11-17

Who should care

Microsoft administrators and security teams responsible for affected Windows, Windows Server, Office LTSC, macOS, or Android deployments should treat this as urgent. It is especially relevant for patch management teams that track Microsoft monthly security updates and for environments that rely on the affected Graphics Component in user-facing or remotely reachable workflows.

Technical summary

The record identifies a heap-based buffer overflow in Microsoft Graphics Component, mapped to CWE-122. The vulnerability is network exploitable and requires no privileges and no user interaction, which matches the CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. That combination indicates a remote attacker could potentially achieve full confidentiality, integrity, and availability impact on affected systems if exploitation succeeds. The NVD CPE criteria show a broad Microsoft ecosystem scope, including several Windows client/server versions and Office LTSC entries.

Defensive priority

Critical

Recommended defensive actions

  • Apply the Microsoft security update referenced by the MSRC advisory for CVE-2025-60724 as soon as possible.
  • Inventory affected assets against the NVD CPE criteria before and after patching, since the record spans multiple Windows, Windows Server, Office LTSC, macOS, and Android entries.
  • Prioritize systems that are exposed to untrusted network content or that process externally supplied graphics/content in business workflows.
  • Verify remediation by checking that installed build numbers are at or above the version boundaries listed in the NVD record.
  • Monitor the Microsoft advisory and NVD entry for any revised guidance or scope changes; the record was modified on 2025-11-17.

Evidence notes

All substantive claims in this debrief come from the supplied official record data: the NVD CVE entry, the linked Microsoft advisory, and the provided timeline fields. The CVE was published on 2025-11-11 and modified on 2025-11-17; those dates are used here for timing context only. The supplied enrichment does not mark this CVE as CISA KEV, and no ransomware campaign use is provided. Because the source metadata labels the vendor/product broadly while the NVD CPE criteria span several Microsoft platforms, the affected-product scope should be read directly from the referenced NVD criteria and MSRC advisory, not from the simplified vendor/product fields alone.

Official resources

Public CVE record published on 2025-11-11 and updated on 2025-11-17 in the supplied timeline. Microsoft’s advisory is linked from the NVD record. No KEV entry is provided in the supplied enrichment.