Windows Kernel

Security Advisory

Microsoft November Updates- Fixes 63 Vulnerabilities,1 Zero-Day Exploits ; Patch Now

Summary : Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities across multiple Microsoft components. The Microsoft Patch Tuesday also addresses four “Critical” vulnerabilities, two of which are remote code execution vulnerabilities, one is an elevation of privileges and the fourth is an information disclosure flaw.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-11-11 
No. of Patches 63 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview : Key Updates on Patch Tuesday

The update includes one actively exploited zero-day vulnerability (CVE-2025-62215) in the Windows Kernel and five additional Critical-rated vulnerabilities affecting Office, DirectX, GDI+, Visual Studio, and Nuance PowerScribe. 

This release continues Microsoft’s focus on privilege escalation and remote code execution (RCE) vulnerabilities, highlighting the urgent need for comprehensive patch management across enterprise systems. 

Here are the CVE addresses for Microsoft & non-Microsoft:  

  • 63 Microsoft CVEs addressed 
  • 5 non-Microsoft CVEs addressed (Republished) 

Breakdown of October 2025 Vulnerabilities 

  • 29 Elevation of Privilege (EoP) 
  • 16 Remote Code Execution (RCE) 
  • 11 Information Disclosure 
  • 3 Denial of Service (DoS) 
  • 2 Security Feature Bypass 
  • 2 Spoofing  

Source: Microsoft 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows Kernel Elevation of Privilege Vulnerability (Zero-Day, Exploited in Wild) CVE-2025-62215 Windows 10, 11, Server 2016–2022 Critical 9.0 
Microsoft Office Use-After-Free Remote Code Execution Vulnerability CVE-2025- 62199 Microsoft Office (Word/Excel/Office Suite) Critical 9.8 
Nuance PowerScribe Missing Authorization Information Disclosure Vulnerability CVE-2025-30398 Nuance PowerScribe 360 Critical 9.1 
Windows DirectX Graphics Kernel Use-After-Free Vulnerability CVE-2025-60716 Windows DirectX Graphics Kernel Critical 8.8 
Microsoft GDI+ Heap-Based Buffer Overflow RCE Vulnerability CVE-2025-60724 Microsoft Graphics Component (GDI+) Critical 8.7 
Visual Studio Command Injection Remote Code Execution Vulnerability CVE-2025-62214 Microsoft Visual Studio / Visual Studio Code Critical 8.1 

Technical Summary 

The zero-day is a Windows Kernel bug that lets attackers gain full system control. Other critical & important vulnerabilities include Office and GDI+ vulnerabilities that could allow hackers to run malicious code or steal data.  

Microsoft also patched issues in Visual Studio, DirectX, and Azure services. Users and admins are strongly advised to install these updates right away to stay protected. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-62215 Windows Kernel Race conditions in shared resource execution enables local attackers to elevate privileges to SYSTEM (Zero-Day; Exploited in Wild) Elevation of Privilege 
CVE-2025-62199 Microsoft Office Use-after-free vulnerability in Office allows RCE via malicious documents, typically delivered through phishing campaigns Remote Code Execution 
CVE-2025-30398 Nuance PowerScribe 360 Missing authorization vulnerability allows disclosure of sensitive medical or user data over the network Information Disclosure 
CVE-2025-60716 Windows DirectX Graphics Kernel Use-after-free conditions allow local attackers to escalate privileges, potentially compromising the entire system Elevation of Privilege 
CVE-2025-60724 Microsoft GDI+ Heap-based buffer overflow allows attackers to execute arbitrary code remotely via crafted network traffic or malicious files Remote Code Execution 
CVE-2025-62214 Visual Studio Command injection vulnerability allows attackers to execute arbitrary code locally in developer environments Remote Code Execution 

Source: Microsoft 

In addition to several other Important severity vulnerabilities were addressed below –  

  • CVE-2025-59505: Windows Smart Card Reader – Double-free memory handling vulnerability enabling privilege escalation. 
  • CVE-2025-60704: Windows Kerberos – Missing cryptographic validation allows privilege escalation. 
  • CVE-2025-60719: Windows WinSock Driver – Untrusted pointer dereference enabling SYSTEM-level access. 
  • CVE-2025-59504: Azure Monitor Agent – Heap-based buffer overflow allowing local code execution. 
  • CVE-2025-60714: Windows OLE – Buffer overflow permitting local RCE. 
  • CVE-2025-62452: Windows RRAS – Heap overflow enabling network-based RCE. 
  • CVE-2025-59509: Windows Speech Recognition – Sensitive data exposure vulnerability. 
  • CVE-2025-62208 / CVE-2025-62209: Windows License Manager – Sensitive information insertion into logs. 
  • CVE-2025-62210 / CVE-2025-62211: Dynamics 365 Field Service – Cross-site scripting (XSS) spoofing. 
  • CVE-2025-62449 / CVE-2025-62453: VS Code / GitHub Copilot – Path traversal and AI output validation bypass & Others more Vulnerabilities. 

Source: Microsoft, bleepingcompute, cybersecuritynews 

Key Affected Products and Services 

The November 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services: 

  • Windows Core Components 

Updates for Kernel, Hyper-V, Kerberos, RRAS, WinSock, Smart Card, Bluetooth subsystems. 

  • Microsoft Office Suite 

Patches for Word, Excel, and related components impacted by RCE and Information Disclosure vulnerabilities. 

  • Azure & Cloud Services 

Fixes for Azure Monitor Agent, Dynamics 365, Entra ID, and related connectors. 

  • Graphics Components 

Patches for GDI+, DirectX, WSL GUI. 

  • Developer Tools 

Updates for Visual Studio, Visual Studio Code, and GitHub Copilot. 

  • Third-Party Applications 

Patches for Nuance PowerScribe (Medical domain). 

  • Mobile Platform Technologies 

Updates for Microsoft OneDrive for Android. 

Remediation: 

  • Install the November 2025 Microsoft security updates immediately across all Windows, Office, and Azure systems. 

Here are some recommendations below  

  • Monitor for Indicators of Compromise (IoCs) for privilege escalation attempts, new SYSTEM-level services, or unusual Office file crashes. 
  • Ensure Windows 10 ESU enrollment for extended support systems. 
  • Restrict local admin privileges and enforce least-privilege access. 
  • Leverage EDR/SIEM solutions to detect suspicious kernel and Office activity. 
  • Segment critical systems and disable unused network services (RRAS, SMB). 

Conclusion: 
Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities, including one actively exploited Zero-Day and multiple Critical RCE and EoP vulnerabilities in Office, Windows Kernel, GDI+, and Visual Studio. 

Given the confirmed exploitation and the presence of memory corruption vulnerabilities, immediate patch deployment is necessary to prevent potential ransomware and privilege escalation attacks in our modern cyber world. 

References

Security Advisory

Microsoft October Patch Fixes 175 Vulnerabilities, 6 Zero-Days & Critical Exploits 

Summary:  Microsoft’s October 2025 Patch Tuesday fixes 175 security vulnerabilities in the products Windows, Office, Azure, and .NET and others. It includes patches for 6 – zero-day vulnerabilities where three vulnerabilities have been exploited and three publicly known vulnerabilities.  

Microsoft advises immediate deployment of updates and removal of affected drivers, while assessing legacy fax hardware for compatibility issues introduced by the driver removal in this month update.

The October 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services. 

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-10-14 
No. of Patches 175 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Major fixes address serious remote code execution issues in Office and WSUS, along with privilege escalation vulnerabilities in Windows and Azure. The update also removes the Agere Modem driver, which could affect older fax devices. Users & Administrator are urged to update the patch to immediately to stay protected. 

Here are the CVE addresses for Microsoft & non-Microsoft:  

  • 175 Microsoft CVEs addressed 
  • 21 non-Microsoft CVEs addressed (Republished) 

Breakdown of October 2025 Vulnerabilities 

  • 80 Elevation of Privilege (EoP) 
  • 31 Remote Code Execution (RCE) 
  • 28 Information Disclosure 
  • 11 Denial of Service (DoS) 
  • 11 Security Feature Bypass 
  • 12 Spoofing  
  • 2 Tampering 

Source: Microsoft 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows Agere Modem Driver Elevation of Privilege Vulnerability CVE-2025-24990 Windows 10, 11, Server 2016-2022 High 7.8 
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability CVE-2025-59230 Windows 10, 11, Server 2016-2022 High 7.8 
Secure Boot Bypass Vulnerability in IGEL OS CVE-2025-47827 IGEL OS Medium 4.6 
Windows Server Update Service (WSUS) Remote Code Execution Vulnerability CVE-2025-59287 Windows Server Critical 9.8 
Microsoft Office Remote Code Execution Vulnerability CVE-2025-59234 Microsoft Office High 7.8 
Microsoft Excel Remote Code Execution Vulnerability CVE-2025-59236 Microsoft Excel (2016-2021) High 8.4 

Technical Summary 

October 2025 Patch Tuesday includes security updates addresses remote code execution, privilege escalation and information disclosure vulnerabilities in core Windows components, Office applications and Azure cloud services.

3 zero-days are actively exploited, including CVE-2025-24990 in the Agere Modem driver, where attackers can abuse the third-party component to gain administrative privileges without needing the modem hardware active, leading to local system compromise.  

Additionally, exposes improper access controls in Windows Remote Access Connection Manager, enabling authorized attackers to escalate to SYSTEM privileges with moderate effort.  

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-24990 Windows Agere Modem Driver Third-party driver abused for admin privileges; removed in updates, may break fax modem hardware Privilege Escalation 
CVE-2025-59230 Windows Remote Access Connection Manager Improper access control allows local attackers to gain SYSTEM privileges Privilege Escalation 
CVE-2025-47827 IGEL OS < v11 Improper cryptographic signature verification enables Secure Boot bypass via crafted root filesystem Security Feature Bypass 
CVE-2025-59287 Windows Server Update Service Deserialization of untrusted data allows unauthenticated RCE over networks, prime for supply-chain attacks Remote Code Execution 
CVE-2025-59234 Microsoft Office (2016-2021) Use-after-free in Office allows RCE via malicious files, no authentication required Remote Code Execution 
CVE-2025-59236 Microsoft Excel (2016-2021) Use-after-free in Excel enables RCE via malicious files, potentially leading to system control Remote Code Execution 

Source: Microsoft 

In addition to several other publicly exploited Zero-Day & Critical severity issues were addressed 

  • CVE-2025-0033: AMD SEV-SNP Flaw – Race condition in AMD EPYC processors allows hypervisor to tamper with guest memory; needs privileged access. (Critical) 
  • CVE-2025-24052: Windows Agere Modem EoP – Flaw in modem driver enables local admin privilege escalation; driver removed, may affect fax hardware. (High) 
  • CVE-2025-2884: TCG TPM 2.0 Vulnerability – Out-of-bounds read in TPM cause info disclosure or DoS, impacting secure boot. (Medium) 
  • CVE202549708: Microsoft Graphics Component EoP – Memory corruption enables network-based privilege escalation.  (Critical) 
  • CVE-2025-59227: Microsoft Office RCE – Use-after-free affecting multiple Office versions. (Critical) 
  • CVE-2016-9535: LibTIFF Heap Buffer Overflow – RCE via malformed TIFF files in image processing. (Critical) 
  • CVE-2025-59291 & CVE-2025-59292: Azure Container Instances/Compute Gallery EoP – External file path control for local privilege escalation. (Critical) 

Key Affected Products and Services 

  • Windows Core and Security Components 

Updates for Windows Kernel, NTFS, BitLocker, NTLM, SMB, WinSock, PrintWorkflowUserSvc and Remote Desktop Services, with several vulnerabilities rated CVSS 7.8 or higher. 

  • Microsoft Office Suite 

Patches for Excel, Word, PowerPoint, Visio, and SharePoint addressing RCE and information disclosure issues, particularly via malicious file execution. 

  • Azure and Cloud Services 

Fixes for Azure Entra ID, Monitor Agent, Connected Machine Agent, PlayFab and Confidential Container Instances. 

  • Virtualization and Hyper-V 

Vulnerabilities in Hyper-V and Virtual Secure Mode, including privilege escalation and DoS risks. 

  • Developer and Management Tools 

Updates for PowerShell, Visual Studio and Configuration Manager addressing local privilege escalation. 

  • Communication & File Services 

Patches for SMB, WSUS, and Connected Devices Platform with critical RCE and lateral movement risks. 

  • Browsers and Web Technologies 

Microsoft Edge (Chromium-based) updates, including republished Chrome CVEs. 

Remediation: 

  • Install the October 2025 security updates immediately to mitigate risks. 

Here are some recommendations below  

  • Use EDR tools to monitor any indicators like Office crashes or logs. 
  • Disable unused services to prevent any remote access or other exploitation. 
  • Apply least privilege access in Office and Azure environments. 
  • Segment networks to reduce any lateral movement. 

Conclusion: 
Critical RCE flaws in Office and WSUS, along with privilege escalation bugs, pose significant risks for ransomware, data theft and lateral movement. Administrator, users & security teams should deploy patches immediately, enhance monitoring and apply mitigations to reduce exposure. 

References

Scroll to top