A high-severity vulnerability has been identified in multiple Microsoft Windows products, which can be exploited through the Figma Desktop application. An attacker could trick a user into opening a malicious file, allowing the attacker to execute arbitrary code and potentially take full control of the affected workstation, leading to data theft, malware installation, or further network intrusion.

This is a Remote Code Execution (RCE) vulnerability within a core Windows component responsible for rendering graphical elements. An unauthenticated remote attacker can exploit this by crafting a malicious Figma (.fig) file and convincing a user to open it. When the file is processed by the Figma application on a vulnerable Windows system, it triggers a buffer overflow in the underlying OS library, allowing the attacker to execute code with the same privileges as the logged-in user.

This vulnerability is rated as High severity with a CVSS score of 8.4. Successful exploitation could have a significant negative impact on the business. An attacker could gain initial access to the corporate network, exfiltrate sensitive intellectual property (such as proprietary designs stored in Figma files), deploy ransomware, or use the compromised machine as a pivot point to move laterally across the network. The risk is particularly acute for organizations with design, marketing, or engineering teams that rely heavily on the Figma platform.

Immediate Action: Apply the security updates released by Microsoft to all affected Windows systems immediately. Prioritize patching workstations where Figma Desktop is installed. After patching, monitor systems for any signs of attempted exploitation and review relevant logs for indicators of compromise that may have occurred prior to remediation.

Proactive Monitoring: Security teams should monitor for suspicious child processes spawning from Figma.exe (e.g., cmd.exe, powershell.exe). Network monitoring should be configured to detect and alert on unusual outbound connections from workstations running Figma. Review endpoint security logs for unexpected file modifications or the execution of unsigned binaries in user profile directories.

Compensating Controls: If immediate patching is not feasible, implement temporary controls to reduce risk. Use application control policies to prevent Figma from executing unknown or untrusted child processes. Enforce a strict policy against opening Figma files from untrusted sources, such as external emails or websites. Ensure Endpoint Detection and Response (EDR) solutions are deployed and configured to detect and block memory exploitation techniques.

Public Exploit Available: false

Given the high CVSS score of 8.4 and the potential for complete system compromise, this vulnerability poses a critical risk. Although it is not currently listed on the CISA KEV list, its Remote Code Execution nature makes it a prime candidate for future inclusion. We strongly recommend that organizations prioritize the immediate deployment of the relevant Microsoft security updates to all vulnerable Windows endpoints. Focus initial efforts on systems belonging to users in design and product development roles who are most likely to use the Figma application.