Security updates for Windows
A large number of the vulnerabilities—67 this time—are spread across the various Windows versions for which Microsoft still offers security updates, namely Windows 10, Windows 11, and Windows Server.
Users on Windows 7 and Windows 8.1 haven’t been getting security updates for quite some time, so will remain vulnerable. If that’s you and your system requirements allow it, you should upgrade to Windows 11 24H2 to continue receiving security updates.
Critical Windows vulnerabilities
Microsoft has identified CVE-2025-53766, a remote code execution (RCE) vulnerability in the Graphics Device Interface API for graphical applications, as well as CVE-2025-50165, another RCE vulnerability but in the Windows Graphics Component, as critical. A visit to a specially prepared website is sufficient to inject and execute arbitrary code without user interaction. With the latter vulnerability, an attacker simply needs to craft an image to be embedded in a web page.
Microsoft has categorized three vulnerabilities in Hyper-V as critical. CVE-2025-48807 is an RCE vulnerability which, if exploited, makes it possible to execute code on the host from the guest system. CVE-2025-53781 is a data leak that allows confidential information to be accessed. CVE-2025-49707 is a spoofing vulnerability that allows a virtual machine to fake a different identity when communicating with external systems.
Microsoft has fixed 12 vulnerabilities in the Routing and Remote Access Service (RRAS), half of which are RCE vulnerabilities, the other half are data leaks. All are categorized as high risk.
The only previously publicized vulnerability in this Patch Tuesday is CVE-2025-53779 in Kerberos for Windows Server 2025. Under certain conditions, a successful attacker can gain administrator rights for domains. Microsoft classifies it as medium risk only.
