CyberSecurity

Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network. 

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. 

Missing release of memory after effective lifetime in Windows Cryptographic Services allows an unauthorized attacker to execute code over a network. 

Untrusted search path in .NET and Visual Studio allows an unauthorized attacker to execute code over a network. 

Use after free in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network. 

Use after free in Windows Win32K – GRFX allows an authorized attacker to elevate privileges locally. 

Exposure of sensitive information to an unauthorized actor in Power Automate allows an unauthorized attacker to elevate privileges over a network. 

Added an FAQ to explain the remediation steps customers need to take to be protected from CVE-2025-21204. This includes a link to a script to aid in completing the remediation steps. This is an informational change only. 

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202[SS9.1]5) for more information. Google is aware that an exploit for CVE-2025-5419 exists in the wild. 

Updated acknowledgment. This is an informational change only.