Microsoft has released its November 2025 Patch Tuesday update, addressing a total of 63 new security vulnerabilities across its software products. Of particular concern is one zero-day flaw that has already been actively exploited in the wild. This significant update underscores the ongoing efforts by vendors to patch critical security gaps and protect users from evolving cyber threats.
The latest patch release includes four Critical and 59 Important severity vulnerabilities. These flaws span various categories, with 29 related to privilege escalation, 16 allowing for remote code execution, 11 concerning information disclosure, and others impacting denial-of-service, security feature bypass, and spoofing mechanisms. These patches come in addition to the 27 vulnerabilities that were previously addressed in Microsoft’s Chromium-based Edge browser since the October 2025 Patch Tuesday.
November 2025 Patch Tuesday: Exploited Zero-Day and Critical Flaws
The most pressing issue highlighted in this month’s update is CVE-2025-62215, a Windows Kernel privilege escalation vulnerability that has been exploited in real-world attacks. Rated with a CVSS score of 7.0, the flaw involves a race condition in concurrent execution using shared resources with improper synchronization. Microsoft’s Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) are credited with the discovery and reporting of this vulnerability.
According to Microsoft’s advisory, an authorized attacker with local access can exploit this vulnerability to elevate their privileges. Successful exploitation relies on an attacker gaining initial access to a system and then triggering a race condition. This allows the attacker to obtain SYSTEM privileges, a highly sensitive level of access.
Ben McCarthy, lead cybersecurity engineer at Immersive, explained that an attacker with low-privilege local access could execute a specially crafted application designed to repeatedly trigger this race condition. The intention is to have multiple threads interact with a shared kernel resource in an uncoordinated manner, which can confuse the kernel’s memory management, leading to the same memory block being freed twice. This “double free” corruption can compromise the kernel heap, enabling the attacker to overwrite memory and hijack system execution flow.
The exact methods and actors behind the exploitation of CVE-2025-62215 remain unknown. However, Satnam Narang, senior staff research engineer at Tenable, assesses that it is likely being used as a post-exploitation technique. Attackers are believed to leverage it to escalate privileges after gaining initial access through other vectors such as social engineering, phishing, or the exploitation of different vulnerabilities.
Mike Walters, president and co-founder of Action1, noted the critical implications when this kernel race condition is chained with other vulnerabilities. For instance, a remote code execution or sandbox escape vulnerability could provide the necessary local code execution, transforming a remote attack into a full system takeover. Similarly, an initial low-privilege foothold could be escalated to dump credentials and achieve lateral movement within a network.
Other Notable Vulnerabilities and Vendor Updates
Beyond the exploited zero-day, Microsoft also addressed two heap-based buffer overflow vulnerabilities in its Graphics Component (CVE-2025-60724, CVSS score: 9.8) and Windows Subsystem for Linux GUI (CVE-2025-62220, CVSS score: 8.8). Both of these could lead to remote code execution.
Another significant vulnerability patched this month is a high-severity privilege escalation flaw in Windows Kerberos, codenamed CheckSum by Silverfort (CVE-2025-60704, CVSS score: 7.5). This vulnerability exploits a missing cryptographic step to gain administrator privileges. Silverfort researchers Eliran Partush and Dor Segal discovered this Kerberos constrained delegation vulnerability, which can allow an attacker to impersonate arbitrary users and potentially gain control over an entire domain through an adversary-in-the-middle (AitM) attack.
Microsoft stated that an attacker would need to position themselves within the logical network path between a target and a requested resource to read or modify network communications. Such an unauthorized attacker would need to wait for a user to initiate a connection to exploit this flaw. Once successfully exploited, the vulnerability could allow an attacker to escalate privileges and move laterally across an organization’s network. More critically, it could enable threat actors to impersonate any user within a company, granting them unfettered access or potential domain administrator rights.
Silverfort indicated that any organization utilizing Active Directory with Kerberos delegation enabled is potentially affected. However, since Kerberos delegation is a feature within Active Directory, an attacker would first require initial access to the environment and compromised credentials to exploit this vulnerability.
In addition to Microsoft’s extensive update, numerous other software vendors have released security advisories and patches in recent weeks. These include updates from Adobe, Amazon Web Services, AMD, Apple, ASUS, Atlassian, AutomationDirect, Bitdefender, Broadcom (including VMware), Cisco, Citrix, ConnectWise, D-Link, Dell, Devolutions, Drupal, Elastic, F5, Fortinet, GitLab, Google (Android, Chrome, Cloud), Grafana, Hitachi Energy, HP, HP Enterprise, IBM, Intel, Ivanti, Jenkins, Lenovo, various Linux distributions (AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu), MediaTek, Mitsubishi Electric, MongoDB, Moxa, Mozilla (Firefox and Firefox ESR), NVIDIA, Oracle, Palo Alto Networks, QNAP, Qualcomm, Rockwell Automation, Ruckus Wireless, Samba, Samsung, SAP, Schneider Electric, Siemens, SolarWinds, SonicWall, Splunk, Spring Framework, Supermicro, Synology, TP-Link, WatchGuard, and Zoom. This widespread vendor activity highlights the continuous and coordinated nature of cybersecurity patching cycles.
Users and IT administrators are strongly advised to review these updates and apply them promptly to mitigate the risks associated with these newly disclosed vulnerabilities. The ongoing exploitation of zero-day flaws underscores the importance of timely patching and robust security practices across all software environments.