Microsoft rolled out its November 2025 Patch Tuesday security updates today, addressing 63 vulnerabilities across its product and service ecosystem.
Among these, one zero-day flaw has already been exploited in the wild, underscoring the urgency for organizations and users to apply patches promptly to mitigate potential threats.
The updates cover Windows, Office, Azure, Visual Studio, and other components, with a focus on remote code execution (RCE) and elevation of privilege (EoP) issues that could allow attackers to compromise systems.
| Impact | Count |
|---|---|
| Elevation of Privilege | 29 |
| Remote Code Execution | 16 |
| Information Disclosure | 11 |
| Denial of Service | 3 |
| Spoofing | 2 |
| Security Feature Bypass | 2 |
The key concern is CVE-2025-62215, a Windows Kernel Elevation of Privilege vulnerability rated as Important, with confirmed exploitation.
This race condition flaw enables an authorized local attacker to escalate privileges by exploiting improper synchronization in shared resources.
Microsoft notes that exploitation is more likely due to its active use, potentially allowing threat actors to gain higher access on affected Windows systems. No workaround exists beyond installing the update, and experts recommend immediate deployment on all supported versions, including Windows 10, 11, and Server editions.
Critical vulnerabilities dominate the release, with five rated as such. Leading the pack is CVE-2025-62199, a use-after-free bug in Microsoft Office leading to RCE, where an unauthorized attacker could execute code locally via malicious documents.
Exploitation is deemed less likely, but its critical severity warrants priority patching for Office users. Similarly, CVE-2025-60716 in Windows DirectX involves a use-after-free error, allowing local privilege escalation to critical levels.
Another high-impact issue, CVE-2025-60724, is a heap-based buffer overflow in GDI+ that permits remote code execution over networks, posing risks to graphics-dependent applications.
CVE-2025-62214 affects Visual Studio with command injection for local RCE, while CVE-2025-30398 in Nuance PowerScribe 360 exposes sensitive information via missing authorization, all released on November 11, 2025.
The bulk of the patches, 57, rated Important target elevation of privilege flaws, which comprised over half the vulnerabilities. Notable examples include CVE-2025-59505 (double free in Windows Smart Card), CVE-2025-60704 (missing crypto in Kerberos for network-based EoP), and CVE-2025-60719 (untrusted pointer in WinSock driver).
Information disclosure issues, like CVE-2025-59509 in Windows Speech Recognition, and denial-of-service bugs, such as CVE-2025-59510 in RRAS, round out the list.
Azure components aren’t spared, with CVE-2025-59504 offering local RCE in the Monitor Agent via buffer overflow. Dynamics 365 sees spoofing via XSS in CVE-2025-62210 and CVE-2025-62211.
| CVE ID | Product/Component | Description | Impact |
|---|---|---|---|
| CVE-2025-62199 | Microsoft Office | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | Remote Code Execution |
| CVE-2025-60716 | DirectX Graphics Kernel | Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-60724 | GDI+ | Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network. | Remote Code Execution |
| CVE-2025-62214 | Visual Studio | Improper neutralization of special elements used in a command (‘command injection’) in Visual Studio allows an authorized attacker to execute code locally. | Remote Code Execution |
| CVE-2025-30398 | Nuance PowerScribe 360 | Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network. | Information Disclosure |
| CVE-2025-59504 | Azure Monitor Agent | Heap-based buffer overflow in Azure Monitor Agent allows an unauthorized attacker to execute code locally. | Remote Code Execution |
| CVE-2025-59505 | Windows Smart Card Reader | Double free in Windows Smart Card allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-59506 | DirectX Graphics Kernel | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows DirectX allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-59507 | Windows Speech Runtime | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Speech allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-59508 | Windows Speech Recognition | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Speech allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-59509 | Windows Speech Recognition | Insertion of sensitive information into sent data in Windows Speech allows an authorized attacker to disclose information locally. | Information Disclosure |
| CVE-2025-59510 | Windows Routing and Remote Access Service (RRAS) | Improper link resolution before file access (‘link following’) in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to deny service locally. | Denial of Service |
| CVE-2025-59511 | Windows WLAN Service | External control of file name or path in Windows WLAN Service allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-59512 | Customer Experience Improvement Program (CEIP) | Improper access control in Customer Experience Improvement Program (CEIP) allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-59513 | Windows Bluetooth RFCOM Protocol Driver | An out-of-bounds read in the Windows Bluetooth RFCOMM Protocol Driver allows an authorized attacker to disclose local information. | Information Disclosure |
| CVE-2025-60703 | Windows Remote Desktop Services | Untrusted pointer dereference in Windows Remote Desktop allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-60704 | Windows Kerberos | Missing cryptographic step in Windows Kerberos allows an unauthorized attacker to elevate privileges over a network. | Elevation of Privilege |
| CVE-2025-60705 | Windows Client-Side Caching | Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-60706 | Windows Hyper-V | Out-of-bounds read in Windows Hyper-V allows an authorized attacker to disclose information locally. | Information Disclosure |
| CVE-2025-60707 | Multimedia Class Scheduler Service (MMCSS) Driver | Use after free in Multimedia Class Scheduler Service (MMCSS) allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-60708 | Storvsp.sys Driver | Untrusted pointer dereference in Storvsp.sys Driver allows an authorized attacker to deny service locally. | Denial of Service |
| CVE-2025-60709 | Windows Common Log File System Driver | Out-of-bounds read in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-60710 | Host Process for Windows Tasks | Improper link resolution before file access (‘link following’) in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-60726 | Microsoft Excel | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | Information Disclosure |
| CVE-2025-60727 | Microsoft Excel | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | Remote Code Execution |
| CVE-2025-60728 | Microsoft Excel | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network. | Information Disclosure |
| CVE-2025-62206 | Microsoft Dynamics 365 (On-Premises) | Exposure of sensitive information to an unauthorized actor in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to disclose information over a network. | Information Disclosure |
| CVE-2025-62210 | Dynamics 365 Field Service (online) | Improper neutralization of input during web page generation (‘cross-site scripting’) in Dynamics 365 Field Service (online) allows an authorized attacker to perform spoofing over a network. | Spoofing |
| CVE-2025-62216 | Microsoft Office | Use-after-free in Windows Broadcast DVR User Service allows an authorized attacker to elevate privileges locally. | Remote Code Execution |
| CVE-2025-60719 | Windows Ancillary Function Driver for WinSock | Untrusted pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-60722 | Microsoft OneDrive for Android | Improper limitation of a pathname to a restricted directory (‘path traversal’) in OneDrive for Android allows an authorized attacker to elevate privileges over a network. | Elevation of Privilege |
| CVE-2025-62217 | Windows Ancillary Function Driver for WinSock | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-62218 | Microsoft Wireless Provisioning System | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Microsoft Wireless Provisioning System allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-62219 | Microsoft Wireless Provisioning System | Double free in Microsoft Wireless Provisioning System allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-62220 | Windows Subsystem for Linux GUI | Heap-based buffer overflow in Windows Subsystem for Linux GUI allows an unauthorized attacker to execute code over a network. | Remote Code Execution |
| CVE-2025-62452 | Windows Routing and Remote Access Service (RRAS) | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network. | Remote Code Execution |
| CVE-2025-59240 | Microsoft Excel | Exposure of sensitive information to an unauthorized actor in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | Information Disclosure |
| CVE-2025-47179 | Configuration Manager | Improper access control in Microsoft Configuration Manager allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-59514 | Microsoft Streaming Service Proxy | Use-after-free in Windows Broadcast DVR User Service allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-59515 | Windows Broadcast DVR User Service | Improper privilege management in the Microsoft Streaming Service allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-60713 | Windows Routing and Remote Access Service (RRAS) | Untrusted pointer dereference in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-60714 | Windows OLE | Heap-based buffer overflow in Windows OLE allows an unauthorized attacker to execute code locally. | Remote Code Execution |
| CVE-2025-60715 | Windows Routing and Remote Access Service (RRAS) | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network. | Remote Code Execution |
| CVE-2025-60717 | Windows Broadcast DVR User Service | Use-after-free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | Elevation of Privilege |
| CVE-2025-60718 | Windows Administrator Protection | Untrusted search path in Windows Administrator Protection allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-60720 | Windows Transport Driver Interface (TDI) Translation Driver | Buffer over-read in Windows TDX.sys allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-60723 | DirectX Graphics Kernel | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows DirectX allows an authorized attacker to deny service over a network. | Denial of Service |
| CVE-2025-62200 | Microsoft Excel | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | Remote Code Execution |
| CVE-2025-62201 | Microsoft Excel | Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | Remote Code Execution |
| CVE-2025-62202 | Microsoft Excel | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | Information Disclosure |
| CVE-2025-62203 | Microsoft Excel | Use-after-free in Microsoft Office allows an unauthorized attacker to execute code locally. | Remote Code Execution |
| CVE-2025-62204 | Microsoft SharePoint | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | Remote Code Execution |
| CVE-2025-62205 | Microsoft Office | An out-of-bounds read in the Windows Bluetooth RFCOMM Protocol Driver allows an authorized attacker to disclose local information. | Remote Code Execution |
| CVE-2025-62208 | Windows License Manager | Insertion of sensitive information into log file in Windows License Manager allows an authorized attacker to disclose information locally. | Information Disclosure |
| CVE-2025-62209 | Windows License Manager | Insertion of sensitive information into log file in Windows License Manager allows an authorized attacker to disclose information locally. | Information Disclosure |
| CVE-2025-59499 | Microsoft SQL Server | Improper neutralization of special elements used in an sql command (‘sql injection’) in SQL Server allows an authorized attacker to elevate privileges over a network. | Elevation of Privilege |
| CVE-2025-62211 | Dynamics 365 Field Service (online) | Improper neutralization of input during web page generation (‘cross-site scripting’) in Dynamics 365 Field Service (online) allows an authorized attacker to perform spoofing over a network. | Spoofing |
| CVE-2025-62215 | Windows Kernel | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Kernel allows an authorized attacker to elevate privileges locally. (Zero-day, exploited) | Elevation of Privilege |
| CVE-2025-62213 | Windows Ancillary Function Driver for WinSock | Use-after-free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | Elevation of Privilege |
| CVE-2025-62222 | Agentic AI and Visual Studio Code | Improper neutralization of special elements used in a command (‘command injection’) in Visual Studio Code CoPilot Chat Extension allows an unauthorized attacker to execute code over a network. | Remote Code Execution |
| CVE-2025-62449 | Microsoft Visual Studio Code CoPilot Chat Extension | Improper limitation of a pathname to a restricted directory (‘path traversal’) in Visual Studio Code CoPilot Chat Extension allows an authorized attacker to bypass a security feature locally. | Security Feature Bypass |
| CVE-2025-60721 | Windows Administrator Protection | Privilege context switching error in Windows Administrator Protection allows an authorized attacker to elevate privileges locally. | Elevation of Privilege |
| CVE-2025-62453 | GitHub Copilot and Visual Studio Code | Improper validation of generative ai output in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature locally. | Security Feature Bypass |
This Patch Tuesday reflects Microsoft’s ongoing efforts to bolster defenses amid rising threat landscapes, including APT campaigns targeting enterprise software.
Affected products span client OS, servers, productivity tools, and cloud services, emphasizing the need for comprehensive patch management. Security teams should scan environments using tools like Microsoft Update or WSUS, prioritizing internet-facing and privileged systems.
Vulnerability researchers highlight that while no additional zero-days were publicly disclosed, the exploited CVE-2025-62215 aligns with trends in kernel-level attacks.
Other Patch Tuesday Vulnerabilities
- Firefox Releases Security Update to Fix Multiple Vulnerabilities Allowing Arbitrary Code Execution
- Ivanti Endpoint Manager Vulnerabilities Let Attackers Write Arbitrary Files to Disk
- Synology BeeStation 0-Day Vulnerability Let Remote Attackers Execute Arbitrary Code
- Zoom Vulnerabilities Let Attackers Bypass Access Controls to Access Session Data
- SAP Security Update – Patch for Critical Vulnerabilities Allowing Code Execution and Injection Attacks
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
