November 2025 Patch Tuesday: Microsoft Fixes 63 Vulnerabilities, Including Windows Kernel Zero-Day (CVE-2025-62215)

Microsoft has released the November 2025 Patch Tuesday updates, resolving 63 security vulnerabilities spanning its ecosystem, including Windows, Office, .NET, and developer tools. This month’s rollout includes one zero-day vulnerability actively exploited in the wild (a privilege escalation issue in the Windows Kernel) along with several critical-rated issues that warrant immediate patching.

The vulnerabilities are categorized as follows:

• 29 Elevation of Privilege (EoP)
• 16 Remote Code Execution (RCE)
• 11 Information Disclosure
• 3 Denial of Service (DoS)
• 2 Spoofing
• 2 Security Feature Bypass

The distribution of this month’s fixes shows a continued emphasis on addressing privilege escalation risks, which remain one of the most leveraged attack vectors by threat actors.

CVE-2025-62215: Windows Kernel Zero-Day Vulnerability

The November updates feature only one zero-day vulnerability, but its active exploitation in the wild makes it a pressing issue. The flaw affects the Windows Kernel and enables attackers to elevate privileges locally, potentially gaining SYSTEM-level access on affected devices.

According to Microsoft’s advisory, CVE-2025-62215 (CVSS 7.0) arises from a race condition in how the Windows Kernel handles concurrent access to shared resources. By exploiting this flaw, an attacker could execute code with elevated privileges.

CVE-2025-62215, Elevation of Privilege in Windows Kernel (SOCRadar Vulnerability Intelligence)

While exploitation requires the attacker to win a race condition and have some level of system access, Microsoft has confirmed active exploitation in the wild. The vulnerability was discovered and reported by the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC).

Security teams should prioritize deploying the November 2025 Patch Tuesday updates immediately, as local privilege escalation vulnerabilities often serve as the second stage in broader attack chains, particularly following phishing or browser-based intrusions.

Enhance Patch Prioritization with SOCRadar XTI

In an environment where hundreds of vulnerabilities emerge every month, distinguishing between theoretical risks and those under active exploitation is critical. SOCRadar’s Cyber Threat Intelligence module helps your security team move beyond basic CVE lists by offering context-driven insights that reveal which flaws pose the most immediate threat to your organization.

SOCRadar delivers:

• Dynamic prioritization: Highlighting vulnerabilities linked to known exploits, malware campaigns, or active adversary groups.
• Cross-platform visibility: Correlating exposures across vendors and technologies for a complete risk picture.
• Lifecycle tracking: Monitoring each vulnerability from disclosure through weaponization and public exploit release.

Track the latest CVEs & hacker trends via SOCRadar’s Vulnerability Intelligence

Armed with this intelligence, you can focus remediation efforts where they matter most, strengthen patch workflows, and stay aligned with real-time attacker behavior.

Which Critical Vulnerabilities Were Fixed in Microsoft’s November 2025 Patch Tuesday?

This month’s release includes five vulnerabilities rated Critical across Microsoft’s graphics, productivity, and developer toolsets.

• CVE-2025-60724 (CVSS 9.8) – GDI+ Remote Code Execution Vulnerability
• CVE-2025-30398 (CVSS 8.1) – Nuance PowerScribe 360 Information Disclosure Vulnerability
• CVE-2025-62199 (CVSS 7.8) – Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-60716 (CVSS 7.0) – DirectX Graphics Kernel Elevation of Privilege Vulnerability
• CVE-2025-62214 (CVSS 6.7) – Visual Studio Remote Code Execution Vulnerability

Details of CVE-2025-60724 (SOCRadar Vulnerability Intelligence)

Together, these flaws represent a mix of execution and privilege escalation vectors that attackers can weaponize with minimal effort. Their integration into everyday applications like Office, Visual Studio, and Windows graphics libraries means even a single unpatched endpoint could provide a foothold for lateral movement.

Which Flaws Are Under Increased Exploitation Risk?

In addition to critical fixes, Microsoft has marked several vulnerabilities as more likely to be exploited in upcoming attack campaigns. These primarily affect Windows networking and privilege-handling components, which adversaries frequently target to gain persistence or escalate privileges after an initial breach.

• CVE-2025-59512 (CVSS 7.8) – Customer Experience Improvement Program (CEIP) Elevation of Privilege Vulnerability
• CVE-2025-60705 (CVSS 7.8) – Windows Client-Side Caching Elevation of Privilege Vulnerability
• CVE-2025-60719 (CVSS 7.0) – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
• CVE-2025-62213 (CVSS 7.0) – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
• CVE-2025-62217 (CVSS 7.0) – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

While exploitation has not yet been confirmed, these vulnerabilities represent prime targets for attackers once technical details become public. Applying the November 2025 Patch Tuesday updates swiftly can reduce the attack surface and prevent these privilege escalation flaws from being chained with remote exploits in the near future.

Apply the November 2025 Patch Tuesday Security Updates

As we covered, November’s release includes one actively exploited zero-day – CVE-2025-62215 (Windows Kernel EoP) – alongside several critical issues such as CVE-2025-60724 (GDI+ RCE) and CVE-2025-62199 (Office RCE). Organizations should apply these patches promptly and then verify remaining exposures across their environments.

Refer to Microsoft’s release note for the complete list of CVEs addressed in November 2025 Patch Tuesday.

Highlights from SAP’s November 2025 Security Patch Day

Beyond Microsoft’s monthly updates, SAP has also issued its November 2025 Security Patch Day notes, addressing a total of 18 new vulnerabilities and providing 2 updates to previously issued advisories. These patches cover a broad range of SAP products, with several Critical-severity issues demanding immediate attention.

Highlighted Critical Notes:

• [3666261] CVE-2025-42890 (CVSS 10.0) – Insecure Key & Secret Management in SQL Anywhere Monitor (Non-Gui)
• [3660659] CVE-2025-42944 (CVSS 10.0) – Insecure Deserialization in SAP NetWeaver AS Java (update to October 2025 note)
• [3668705] CVE-2025-42887 (CVSS 9.9) – Code Injection in SAP Solution Manager

Other notable issues include a memory corruption bug in SAP CommonCryptoLib (CVE-2025-42940, CVSS 7.5), and several medium-severity flaws across SAP Business Connector, SAP HANA, and SAP NetWeaver components, ranging from code injection to path traversal and missing authorization checks.

SAP strongly recommends that administrators apply these patches promptly via the SAP Support Portal, prioritizing systems affected by the Critical and High-severity notes. The full list of advisories can be reviewed in SAP’s official release note.

Monitor your digital assets and company vulnerabilities with SOCRadar’s ASM

SOCRadar Attack Surface Management (ASM) provides continuous visibility into your digital assets, automatically detecting unpatched vulnerabilities and configuration risks. By combining ASM insights with regular patch cycles, you can prioritize remediation efforts and achieve faster, more efficient risk reduction.