November 2025 Patch Tuesday: Microsoft Fixes 63 Vulnerabilities Including Actively Exploited Zero-Day

Release Date: November 11, 2025
Last Updated: November 12, 2025

Executive Summary

Microsoft's November 2025 Patch Tuesday addresses 63 security vulnerabilities across its product ecosystem, including one actively exploited zero-day vulnerability in the Windows Kernel. This month's update includes 5 critical-severity flaws and 58 important-severity vulnerabilities, with a significant focus on elevation of privilege (EoP) and remote code execution (RCE) issues.

The actively exploited zero-day (CVE-2025-62215) affecting the Windows Kernel demands immediate attention from IT administrators. Additionally, critical remote code execution vulnerabilities in Microsoft Graphics Component and Office applications require urgent patching to prevent system compromise.

This marks the first Patch Tuesday following Windows 10's end-of-life, with extended security updates (ESU) now required for organizations still running the unsupported operating system.

November 2025 Patch Tuesday by the Numbers

Vulnerability Type Breakdown:

• Elevation of Privilege (EoP): 29 vulnerabilities (46%)
• Remote Code Execution (RCE): 16 vulnerabilities (25.4%)
• Information Disclosure: 10 vulnerabilities
• Denial of Service (DoS): 5 vulnerabilities
• Spoofing: 3 vulnerabilities

Actively Exploited Zero-Day Vulnerability (PATCH IMMEDIATELY)

CVE-2025-62215: Windows Kernel Elevation of Privilege

Severity: Important (CVSS 7.0)
Status: Actively Exploited in the Wild
Attack Vector: Local
Authentication Required: Yes (Low-Privileged User)

The Threat:
CVE-2025-62215 is a Windows Kernel elevation of privilege vulnerability with a CVSS score of 7.0 that is being actively exploited in the wild as a zero-day. The vulnerability involves a race condition in Windows Kernel where improper synchronization when accessing shared resources allows an authorized attacker to elevate privileges locally.

Technical Details:
The race condition is notable because it indicates this particular race condition is more reliable than others, making exploitation more predictable for attackers. This race condition flaw enables an authorized local attacker to escalate privileges by exploiting improper synchronization in shared resources.

Why This Matters:
An attacker who has already gained initial access to a system can leverage this vulnerability to gain SYSTEM-level privileges, achieving complete control over the compromised machine. Bugs like these are often paired with a code execution bug by malware to completely take over a system.

Attack Scenario:

1. Attacker gains initial low-privileged access (via phishing, malware, etc.)
2. Exploits CVE-2025-62215 race condition to escalate privileges
3. Achieves SYSTEM-level access
4. Installs persistent malware, steals credentials, or moves laterally

Mitigation Priority: CRITICAL - Deploy within 24-48 hours

Critical Remote Code Execution Vulnerabilities

CVE-2025-60724: Microsoft Graphics Component RCE

Severity: Critical (CVSS 9.8)
Attack Vector: Network (Remote)
Authentication: None Required
Exploitation Assessment: Less Likely

The Threat:
CVE-2025-60724 is a remote code execution vulnerability affecting the Windows Graphics Device Interface (GDI) with a CVSS score of 9.8, involving a heap-based buffer overflow in the Microsoft Graphics Component.

Technical Details:
A heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network. The vulnerability can be triggered by convincing a victim to download and open a document that contains a specially crafted metafile.

Worst-Case Scenario:
An attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile without user interaction, potentially causing RCE or information disclosure on web services that are parsing documents.

Who's Affected:

• Organizations with document processing web services
• Systems that automatically parse uploaded files (document management, email gateways)
• End users who download and open documents from untrusted sources

Mitigation:

• Apply November 2025 security updates immediately
• Implement strict input validation for file uploads
• Use sandboxed environments for document processing
• Educate users about opening files from unknown sources

CVE-2025-62199: Microsoft Office Remote Code Execution

Severity: Critical (CVSS 7.8)
Attack Vector: Local (Requires User Interaction)
Exploitation Assessment: Less Likely

The Threat:
CVE-2025-62199 is a remote code execution vulnerability in Microsoft Office with a CVSS score of 7.8, involving a use-after-free flaw that allows an unauthenticated attacker to execute code locally on a vulnerable workstation.

Attack Vector:
An attacker could exploit this flaw through social engineering by sending a malicious Microsoft Office document file to an intended target. The Preview Pane is an attack vector, which means exploitation does not require the target to open the file.

Why This Is Critical:
The Preview Pane attack vector is particularly dangerous because users don't need to explicitly open a malicious document—simply previewing it in Outlook or File Explorer can trigger exploitation.

Attack Scenario:

1. Attacker crafts malicious Office document
2. Sends document via email or file sharing
3. Victim previews document (automatic in many email clients)
4. Malicious code executes without user opening the file

Additional Office RCE Vulnerabilities:

• CVE-2025-62205: Microsoft Office RCE (CVSS 7.8) - Exploitation Less Likely
• CVE-2025-62216: Microsoft Office RCE (CVSS 7.8) - Exploitation Unlikely

Mitigation:

• Update all Microsoft Office installations immediately
• Disable Preview Pane in Outlook and File Explorer
• Enable Office Protected View for files from untrusted sources
• Implement email filtering for suspicious Office documents

CVE-2025-30398: Nuance PowerScribe 360 Information Disclosure

Severity: Critical (CVSS 8.1)
Attack Vector: Network
Authentication: None Required

The Threat:
CVE-2025-30398 is an information disclosure vulnerability in Nuance PowerScribe 360 with a CVSS score of 8.1, where missing authorization allows an unauthorized attacker to disclose information over a network.

Technical Details:
An unauthenticated attacker could exploit this vulnerability by making an API call to a specific endpoint. The attacker could then use the data to gain access to sensitive information, including PII data, on the server.

Impact:
Healthcare organizations using Nuance PowerScribe 360 for medical transcription and reporting face potential exposure of:

• Protected Health Information (PHI)
• Personally Identifiable Information (PII)
• Patient medical records
• Clinical documentation

Who's Affected:

• Healthcare providers using Nuance PowerScribe 360
• Medical imaging centers
• Radiology departments
• Organizations processing medical transcription

Mitigation:

• Apply vendor patches immediately
• Audit API access logs for suspicious activity
• Implement network segmentation for medical systems
• Review HIPAA compliance after potential exposure

High-Priority Elevation of Privilege Vulnerabilities

Exploitation More Likely (Priority 2)

Microsoft flagged five vulnerabilities as more likely to be exploited, including CVE-2025-59512 (Customer Experience Improvement Program EoP), CVE-2025-60705 (Windows Client-Side Caching EoP), and three flaws in the Windows Ancillary Function Driver for WinSock.

CVE-2025-59512: Customer Experience Improvement Program (CEIP) EoP

Severity: Important (CVSS 7.8)
Status: Exploitation More Likely

CVE-2025-59512 is an elevation of privilege vulnerability in the Customer Experience Improvement Program (CEIP) where an improper access control flaw may allow an authenticated attacker to gain SYSTEM privileges.

Impact: Low-privileged users can escalate to SYSTEM level, gaining complete control over the affected system.

CVE-2025-60705: Windows Client-Side Caching (CSC) Service EoP

Severity: Important
Status: Exploitation More Likely

CVE-2025-60705 is an elevation of privilege vulnerability in Windows Client-Side Caching where an improper access control flaw may allow an authenticated attacker to gain administrator privileges.

Impact: Attackers can gain administrative access to Windows systems, enabling malware installation, credential theft, and persistence.

Windows Ancillary Function Driver for WinSock EoP (3 Vulnerabilities)

CVE-2025-60719, CVE-2025-62217, CVE-2025-62213
Severity: Important (CVSS 7.0 each)
Status: Exploitation More Likely

Three vulnerabilities affect Windows Ancillary Function Driver for WinSock with CVSS ratings of 7.0. The kernel-mode driver is fundamental to Windows, making defects in the component inherently high-risk.

Successful exploitation of these vulnerabilities may allow an attacker to gain SYSTEM privileges.

Why These Matter:
Due to being so intertwined with network-related functionality of Windows, it has the potential to be a way in for many applications in the Windows ecosystem. There have been many vulnerabilities in the past that have been weaponized in this kernel-mode driver.

Additional Critical Vulnerabilities Requiring Attention

CVE-2025-62214: Visual Studio Code Injection RCE

Severity: Important (CVSS 6.7)
Attack Vector: Local

CVE-2025-62214 affects Visual Studio with AI command injection for local RCE, where exploitation is not trivial as it requires multiple steps: prompt injection, Copilot Agent interaction, and triggering a build.

Who's Affected: Developers using Visual Studio with GitHub Copilot enabled

Attack Scenario:

1. Malicious code repository contains prompt injection
2. Developer opens project in Visual Studio with Copilot
3. Copilot agent processes malicious prompts
4. Build process triggers code execution

Mitigation:

• Update Visual Studio and Copilot extensions
• Review code suggestions from AI assistants carefully
• Use trusted code repositories only

CVE-2025-60716: DirectX Graphics Kernel EoP

Severity: Important (CVSS 7.0)
Status: Exploitation Less Likely

CVE-2025-60716 is a DirectX Graphics kernel elevation of privilege vulnerability where a use-after-free flaw in Windows DirectX allows an authorized attacker to elevate privileges locally. Successful exploitation requires an attacker to win a race condition.

Impact: Gaming systems, workstations with DirectX-enabled applications face privilege escalation risk.

Azure and Cloud Services Vulnerabilities

CVE-2025-59504: Azure Monitor Agent RCE

Severity: Important
Attack Vector: Local

CVE-2025-59504 offers local remote code execution in the Azure Monitor Agent via buffer overflow.

Who's Affected: Azure customers using Azure Monitor Agent for cloud resource monitoring.

Mitigation: Azure updates are typically deployed automatically, but verify through Azure Portal that agents are updated.

Dynamics 365 Spoofing Vulnerabilities

CVE-2025-62210, CVE-2025-62211
Severity: Important
Attack Type: Cross-Site Scripting (XSS)

Dynamics 365 sees spoofing via XSS in CVE-2025-62210 and CVE-2025-62211.

Impact: Attackers can inject malicious scripts into Dynamics 365 web interfaces, potentially stealing user sessions or credentials.

Mitigation: Update Dynamics 365 installations and review web application firewall rules.

Products Affected by November 2025 Updates

This month's update includes patches for a wide range of Microsoft products:

Core Windows Components:

• Windows Kernel
• Windows Graphics Component (GDI+)
• Windows Ancillary Function Driver for WinSock
• Windows Client-Side Caching (CSC) Service
• Windows Bluetooth RFCOM Protocol Driver
• Windows WLAN Service
• Windows Speech Recognition
• Windows Smart Card Service
• Customer Experience Improvement Program (CEIP)
• DirectX Graphics Kernel
• Windows Kerberos
• Windows RRAS (Routing and Remote Access Service)

Productivity Applications:

• Microsoft Office (Word, Excel, SharePoint)
• Microsoft 365
• Visual Studio
• Visual Studio Code Copilot Chat Extension
• GitHub Copilot

Cloud & Server:

• Azure Monitor Agent
• Microsoft Dynamics 365 (online and on-premises)
• Microsoft Dynamics 365 Field Service
• Windows Hyper-V
• SQL Server
• OneDrive for Android

Third-Party:

• Nuance PowerScribe 360

Windows 10 Extended Security Updates (ESU)

IMPORTANT NOTICE:
Today is also the first extended security update (ESU) for Windows 10, so if you are still utilizing the unsupported operating system, it is strongly advised that you upgrade to Windows 11 or enroll in the ESU program.

What This Means:

• Windows 10 reached end-of-life on October 14, 2025
• Organizations without ESU enrollment will NOT receive security updates
• November 2025 is the first month requiring ESU for Windows 10 patches
• Systems without ESU are now vulnerable to all newly discovered threats

Your Options:

Option 1: Upgrade to Windows 11 (Recommended)

• Free upgrade for qualifying hardware
• Continued security updates through October 2025
• Modern security features (TPM 2.0, Secure Boot, VBS)

Option 2: Purchase Extended Security Updates

• Available for Windows 10 Enterprise and Education
• Up to 3 years of additional security updates
• Paid annual subscription required
• More information: Windows 10 ESU Program

Option 3: Windows 10 LTSC

• Long-Term Servicing Channel has extended support
• Windows 10 Enterprise LTSC 2019: Supported until January 2029
• Limited to specific use cases

Patch Priority Matrix

Priority 1: Deploy Within 24-48 Hours

1. CVE-2025-62215 - Windows Kernel EoP (Actively Exploited Zero-Day)
2. CVE-2025-60724 - Microsoft Graphics Component RCE (CVSS 9.8)
3. CVE-2025-62199 - Microsoft Office RCE (Preview Pane Attack Vector)
4. CVE-2025-30398 - Nuance PowerScribe 360 Information Disclosure (Healthcare PII)

Priority 2: Deploy Within 1 Week

5. CVE-2025-59512 - CEIP EoP (Exploitation More Likely)
6. CVE-2025-60705 - Windows CSC Service EoP (Exploitation More Likely)
7. CVE-2025-60719, CVE-2025-62217, CVE-2025-62213 - WinSock Driver EoP (Exploitation More Likely)
8. CVE-2025-62205, CVE-2025-62216 - Additional Office RCE vulnerabilities
9. CVE-2025-62214 - Visual Studio Code Injection
10. CVE-2025-60716 - DirectX Graphics Kernel EoP

Priority 3: Standard Patch Cycle (Within 30 Days)

11. Remaining Important-severity vulnerabilities (48 total)
12. Information disclosure vulnerabilities
13. Denial of service vulnerabilities
14. Spoofing vulnerabilities

Patching Best Practices for November 2025

Pre-Deployment Testing

1. Test Environment Preparation:

• Deploy updates to isolated test systems first
• Test critical business applications
• Validate line-of-business software compatibility
• Check driver and hardware compatibility
• Monitor for performance degradation

2. Rollback Planning:

• Ensure recent backups are available
• Document rollback procedures
• Prepare system restore points
• Test backup restoration processes

Deployment Strategy

Phase 1: Critical Systems (0-48 Hours)

• Internet-facing servers
• Domain controllers
• Exchange servers
• File servers with external access
• VPN and remote access infrastructure
• WSUS/SCCM servers

Phase 2: Internal Servers (Days 3-7)

• Database servers
• Application servers
• Internal file servers
• Print servers
• Backup infrastructure

Phase 3: Workstations (Days 7-14)

• Executive and management workstations
• IT and security team devices
• General workforce (in waves)
• Remote worker endpoints

Phase 4: Specialized Systems (Days 14-30)

• Industrial control systems (after vendor approval)
• Medical devices (with regulatory compliance)
• Point-of-sale systems
• Legacy applications requiring extended testing

Post-Deployment Verification

Immediate Checks (Within 24 Hours):

• Verify successful installation via Windows Update
• Review Event Viewer for errors
• Test critical business applications
• Check network connectivity
• Verify security agent functionality

Ongoing Monitoring (Week 1):

• Monitor help desk tickets for issues
• Track application performance metrics
• Review security logs for anomalies
• Conduct vulnerability scans to confirm patching
• Document any compatibility issues

Known Issues and Workarounds

Reported Compatibility Issues:

As of November 12, 2025, Microsoft has not published widespread known issues for this Patch Tuesday. However, organizations should monitor:

1. Microsoft Known Issues Dashboard:
   https://learn.microsoft.com/windows/release-health/status-windows-11-24h2
2. Community Forums:
   • r/sysadmin on Reddit
   • Microsoft Tech Community
   • Spiceworks Community
3. Third-Party Application Vendors:
   • Contact critical application vendors for compatibility statements
   • Check vendor support sites for known issues

If You Experience Issues:

Step 1: Identify the Problem

• Document error messages and symptoms
• Identify affected systems and applications
• Check Event Viewer logs
• Review update history

Step 2: Attempt Resolution

• Reboot the system
• Run Windows Update troubleshooter
• Repair or reinstall affected applications
• Check for conflicting updates

Step 3: Rollback if Necessary

• Navigate to Settings > Update & Security > Windows Update
• Select "View update history"
• Choose "Uninstall updates"
• Select problematic update and remove
• Document issue and report to Microsoft

Security Monitoring and Detection

Indicators of Compromise for CVE-2025-62215

Monitor for the following suspicious activities that may indicate exploitation attempts:

Event Log Monitoring:

• Unexpected privilege escalations (Event ID 4672)
• New process creation with SYSTEM privileges (Event ID 4688)
• Account elevation events (Event IDs 4624, 4672, 4673)

Behavioral Indicators:

• Low-privileged accounts suddenly accessing high-value resources
• Unusual processes running with SYSTEM privileges
• Rapid succession of process creation and termination (race condition attempts)
• Anomalous kernel-level activity

File System Monitoring:

• New files created in system directories by non-administrative users
• Modifications to Windows kernel components
• Suspicious driver installations

Detection Tools:

• Microsoft Defender for Endpoint: Monitor for privilege escalation alerts
• Sysmon: Track process creation with SYSTEM tokens
• EDR Solutions: Configure alerts for kernel exploitation behaviors
• SIEM Rules: Create correlation rules for privilege escalation chains

Additional Security Recommendations

For IT Administrators:

1. Prioritize Zero-Day Patching:
   CVE-2025-62215 is actively exploited—delay increases risk exponentially
2. Accelerate Windows 10 Migration:
   First month of ESU requirement highlights urgency of Windows 11 migration
3. Review Preview Pane Settings:
   Disable Outlook and File Explorer Preview Pane where not essential
4. Audit WinSock Driver Usage:
   Three high-priority vulnerabilities require attention to network-related drivers
5. Verify Azure Auto-Updates:
   Confirm Azure Monitor Agent and cloud services received automatic updates

For Security Teams:

1. Hunt for CVE-2025-62215 Exploitation:
   Review historical logs for privilege escalation indicators since vulnerability disclosure
2. Update Detection Signatures:
   Ensure EDR, IDS/IPS, and SIEM rules detect November 2025 exploits
3. Conduct Vulnerability Scans:
   Verify patch deployment across entire infrastructure within 48 hours
4. Assess Healthcare Organizations:
   Priority review for Nuance PowerScribe 360 exposure (CVE-2025-30398)
5. Review Third-Party Software:
   Coordinate with vendors for compatibility and security updates

For End Users:

1. Restart Your Computer:
   Many patches require reboot to complete installation
2. Update Microsoft Office:
   Ensure Office applications are current to protect against RCE vulnerabilities
3. Disable Preview Pane:
   Temporarily disable in Outlook if unable to update immediately
4. Report Suspicious Activity:
   Alert IT security team to unusual system behavior or performance issues
5. Verify Windows 10 Status:
   Confirm you're running Windows 11 or enrolled in ESU program

Industry Context and Threat Landscape

November 2025 Trends:

1. Kernel Exploitation Continues:
The actively exploited Windows Kernel zero-day reflects ongoing attacker focus on OS-level vulnerabilities for privilege escalation.

2. Office Remains High-Value Target:
Three Office RCE vulnerabilities highlight continued threat actor interest in productivity applications as initial access vectors.

3. Post-Windows 10 EOL Risks:
First ESU-required update emphasizes security risk for organizations delaying Windows 11 migration.

4. Cloud Security Focus:
Azure vulnerabilities demonstrate expanding attack surface in cloud environments.

5. AI-Enabled Development Risks:
Visual Studio Copilot vulnerability (CVE-2025-62214) represents emerging threat category as AI tools integrate into development workflows.

Third-Party Vendor Updates (November 2025)

Other major vendors released security updates coordinated with Microsoft Patch Tuesday:

Released November 11-12, 2025:

• Google Android: November security bulletin with two vulnerability fixes
• Ivanti: November 2025 Patch Tuesday updates
• runC: Security updates for container escape vulnerabilities
• QNAP: Seven zero-day fixes for NAS devices (Pwn2Own Ireland 2025)
• SAP: November security updates including 10/10 hardcoded credentials flaw
• Samsung: November security updates with 25 vulnerability fixes

Organizations should coordinate patching across all vendors for comprehensive security posture.

Resources and References

Official Microsoft Resources:

• Security Update Guide: https://msrc.microsoft.com/update-guide
• Microsoft Update Catalog: https://www.catalog.update.microsoft.com
• Windows Release Health: https://learn.microsoft.com/windows/release-health
• Azure Updates: https://azure.microsoft.com/updates
• Windows 10 ESU Information: https://www.microsoft.com/windows/windows-10-end-of-support

Security Vendor Analysis:

• Tenable November 2025 Patch Tuesday Analysis
• Qualys Security Update Review
• Cisco Talos Intelligence Blog
• Bleeping Computer Coverage
• CyberScoop Patch Tuesday Report
• Lansweeper Patch Management Guide

Community Resources:

• Reddit: r/sysadmin, r/msp
• Microsoft Tech Community Forums
• Twitter/X: #PatchTuesday
• SANS Internet Storm Center

Frequently Asked Questions (FAQ)

Q1: How many vulnerabilities did Microsoft fix in November 2025?

A: Microsoft patched 63 security vulnerabilities, including 1 actively exploited zero-day, 5 critical-severity flaws, and 58 important-severity vulnerabilities.

Q2: Is there an actively exploited zero-day this month?

A: Yes, CVE-2025-62215 affecting the Windows Kernel is actively exploited in the wild and should be patched immediately.

Q3: What is the most critical vulnerability in November 2025?

A: CVE-2025-60724 (Microsoft Graphics Component RCE) has the highest CVSS score of 9.8, but CVE-2025-62215 (actively exploited zero-day) should be prioritized first.

Q4: Will Windows 10 receive these updates?

A: Only if enrolled in Extended Security Updates (ESU). Windows 10 reached end-of-life on October 14, 2025, and no longer receives free security updates.

Q5: Should I patch immediately or test first?

A: For the actively exploited zero-day (CVE-2025-62215), patch critical systems within 24-48 hours after minimal testing. For other vulnerabilities, follow standard testing procedures but complete deployment within 7-30 days.

Q6: Are Microsoft Office applications affected?

A: Yes, three RCE vulnerabilities affect Microsoft Office (CVE-2025-62199, CVE-2025-62205, CVE-2025-62216). CVE-2025-62199 can be exploited via Preview Pane without opening files.

Q7: What should healthcare organizations prioritize?

A: Healthcare providers using Nuance PowerScribe 360 should immediately patch CVE-2025-30398 to prevent unauthorized access to patient health information (PHI/PII).

Q8: How do I check if my systems are patched?

A: Use Windows Update (Settings > Update & Security), run vulnerability scans with tools like Microsoft Baseline Security Analyzer, or check patch management dashboards (WSUS/SCCM).

Q9: What if patches break my applications?

A: Test in non-production environments first. If issues occur in production, document the problem, attempt troubleshooting, and uninstall the specific problematic update while reporting to Microsoft.

Q10: When is the next Patch Tuesday?

A: December 9, 2025 (Second Tuesday of December).

Conclusion

November 2025 Patch Tuesday presents significant security challenges with 63 vulnerabilities requiring attention, headlined by an actively exploited Windows Kernel zero-day. The combination of critical RCE flaws in widely-used components like Microsoft Graphics and Office applications, alongside high-priority elevation of privilege vulnerabilities, demands swift and comprehensive patching efforts.

Key Priorities:

1. Immediate Action: Deploy CVE-2025-62215 patch within 24-48 hours to all Windows systems
2. Office Security: Update Microsoft Office to prevent Preview Pane exploitation
3. Windows 10 Transition: Ensure ESU enrollment or accelerate Windows 11 migration
4. Healthcare Focus: Priority patching for Nuance PowerScribe 360 users
5. Comprehensive Testing: Balance security urgency with operational stability

This marks a critical juncture as the first Patch Tuesday following Windows 10's end-of-life. Organizations still running Windows 10 without ESU now face exponentially increasing risk with each passing month. The actively exploited zero-day underscores that attackers continue to target Windows kernel vulnerabilities, making timely patching not just a best practice but a critical business imperative.

The Bottom Line: Don't delay November 2025 patching. The presence of an actively exploited zero-day means attackers are already weaponizing these vulnerabilities. Every unpatched system is a potential entry point for compromise.

Stay Protected:
Subscribe to our blog for real-time Patch Tuesday analysis, security advisories, and best practices for maintaining a robust security posture.

Next Patch Tuesday: December 9, 2025
Last Updated: November 12, 2025