Cyber Posture

CVE-2025-53766

Critical

Published: 12 August 2025

Published
12 August 2025
Modified
14 August 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0143 80.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53766 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the heap-based buffer overflow vulnerability in Windows GDI+ by requiring timely identification, reporting, and correction via vendor patches.

SI-16 Memory Protection good match
prevent

Provides system-level memory protections such as ASLR and DEP to prevent successful exploitation of the heap buffer overflow for arbitrary code execution.

SI-10 Information Input Validation partial match
prevent

Validates information inputs to GDI+ components to block malformed data that triggers the remote heap-based buffer overflow.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Remote unauthenticated heap buffer overflow enabling arbitrary code execution directly maps to exploitation of public-facing or network-reachable applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.

Deeper analysisAI

CVE-2025-53766 is a heap-based buffer overflow vulnerability (CWE-122) in the Windows GDI+ component. Published on 2025-08-12T18:15:45.400, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

An unauthorized attacker can exploit this vulnerability remotely over a network with low attack complexity, requiring no privileges or user interaction. Successful exploitation enables arbitrary code execution on the target system.

Microsoft's update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53766 provides details on associated advisories and patches for mitigation.

Details

CWE(s)
CWE-122

Affected Products

microsoft
office
≤ 16.0.14326.22618 · ≤ 16.0.19127.20000
microsoft
windows 10 1507
≤ 10.0.10240.21100 · ≤ 10.0.10240.21100
microsoft
windows 10 1607
≤ 10.0.14393.8330 · ≤ 10.0.14393.8330
microsoft
windows 10 1809
≤ 10.0.17763.7678 · ≤ 10.0.17763.7678
microsoft
windows 10 21h2
≤ 10.0.19044.6216
microsoft
windows 10 22h2
≤ 10.0.19045.6216
microsoft
windows 11 22h2
≤ 10.0.22621.5768
microsoft
windows 11 23h2
≤ 10.0.22631.5768
microsoft
windows 11 24h2
≤ 10.0.26100.4851
microsoft
windows server 2008
all versions, r2
+6 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-21368Same product: Microsoft Windows 10 1507
CVE-2025-60724Same product: Microsoft Office
CVE-2026-20868Same product: Microsoft Windows 10 1607
CVE-2025-21369Same product: Microsoft Windows 10 1507
CVE-2025-21273Same product: Microsoft Windows 10 1507
CVE-2025-47981Same product: Microsoft Windows 10 1507
CVE-2025-24056Same product: Microsoft Windows 10 1507
CVE-2025-21411Same product: Microsoft Windows 10 1507
CVE-2025-21417Same product: Microsoft Windows 10 1507
CVE-2025-21266Same product: Microsoft Windows 10 1507

References