In May 2025, Zscaler ThreatLabz identified a critical remote code execution (RCE) vulnerability, designated CVE-2025-50165, with a CVSS score of 9.8. This vulnerability affects the Windows Graphics Component, specifically residing within the windowscodecs.dll library. Applications that depend on this library, including Microsoft Office documents, are susceptible to exploitation. An attacker can craft a malicious JPEG image and embed it in any file utilizing windowscodecs.dll. When a user opens such a file, their system could be compromised, allowing the attacker to execute arbitrary code remotely.
Affected Versions
Microsoft has released a patch to address this vulnerability as of August 12, 2025. Given the integral role of the Windows Graphics Component across all Windows systems, the implications of this vulnerability are profound. Below is a table detailing the specific Microsoft Windows products and versions affected by CVE-2025-50165, along with their corresponding patched versions:
| Product | Impacted Version | Patched Version |
|---|---|---|
| Windows Server 2025 | 10.0.26100.4851 | 10.0.26100.4946 |
| Windows 11 Version 24H2 for x64-based Systems | 10.0.26100.4851 | 10.0.26100.4946 |
| Windows 11 Version 24H2 for ARM64-based Systems | 10.0.26100.4851 | 10.0.26100.4946 |
| Windows Server 2025 (Server Core installation) | 10.0.26100.4851 | 10.0.26100.4946 |
Recommendations
ThreatLabz strongly advises all Windows users to update their applications and install the patched versions listed in the affected versions table above to mitigate potential risks.
Attack Chain
The attack chain initiates with a JPEG image meticulously crafted to exploit the vulnerability. When this image is rendered through windowscodecs.dll, the vulnerability is triggered. The exploit can also be activated indirectly by embedding the image within another file, such as a Microsoft Office document. Once the exploit is executed, the attacker gains the ability to run arbitrary code.
How It Works
ThreatLabz employed a systematic approach to discover and analyze CVE-2025-50165, including identifying the vulnerable code path and developing a Proof-of-Concept (PoC) exploit. The fuzzing process revealed a crash, pinpointing the crashing instruction as a dereference of an uninitialized memory state. Further investigation into the memory dump indicated that this uninitialized memory could be manipulated through heap spraying.
The analysis led to the discovery of the vulnerability’s origin, with a specific code snippet highlighting the entry point for exploitation. Control Flow Guard (CFG) is disabled by default for the 32-bit version of windowscodecs.dll, while the 64-bit version necessitates a CFG bypass for successful exploitation.
Exploit
By leveraging heap spraying and exploiting the untrusted pointer dereference vulnerability, attackers can gain control of the instruction pointer (IP). This control allows for further exploitation through Return-Oriented Programming (ROP). The exploitation process involves allocating heap chunks, triggering the vulnerability, and redirecting execution to the ROP chain stored within the heap.
Proof-of-Concept (PoC)
To illustrate the exploitation of the vulnerability, ThreatLabz developed an example application that enables users to manage heap allocations and process JPEG images. This application allows for heap spray attacks and triggers the vulnerability by processing a specially crafted JPEG image, ultimately manipulating the application’s control flow to facilitate exploitation.
The Zscaler ThreatLabz team has implemented protective measures against CVE-2025-50165, ensuring enhanced security for users navigating this critical vulnerability.
