Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited. Microsoft also fixed a glitch that prevented some Windows 10 users from taking advantage of an extra year of security updates, which is nice because the zero-day flaw and other critical weaknesses affect all versions of Windows, including Windows 10.

Affected products this month include the Windows OS, Office, SharePoint, SQL Server, Visual Studio, GitHub Copilot, and Azure Monitor Agent. The zero-day threat concerns a memory corruption bug deep in the Windows innards called CVE-2025-62215. Despite the flaw’s zero-day status, Microsoft has assigned it an “important” rating rather than critical, because exploiting it requires an attacker to already have access to the target’s device.

“These types of vulnerabilities are often exploited as part of a more complex attack chain,” said Johannes Ullrich, dean of research for the SANS Technology Institute. “However, exploiting this specific vulnerability is likely to be relatively straightforward, given the existence of prior similar vulnerabilities.”

Ben McCarthy, lead cybersecurity engineer at Immersive, called attention to CVE-2025-60274, a critical weakness in a core Windows graphic component (GDI+) that is used by a massive number of applications, including Microsoft Office, web servers processing images, and countless third-party applications.

“The patch for this should be an organization’s highest priority,” McCarthy said. “While Microsoft assesses this as ‘Exploitation Less Likely,’ a 9.8-rated flaw in a ubiquitous library like GDI+ is a critical risk.”

Microsoft patched a critical bug in Office — CVE-2025-62199 — that can lead to remote code execution on a Windows system. Alex Vovk, CEO and co-founder of Action1, said this Office flaw is a high priority because it is low complexity, needs no privileges, and can be exploited just by viewing a booby-trapped message in the Preview Pane.

Many of the more concerning bugs addressed by Microsoft this month affect Windows 10, an operating system that Microsoft officially ceased supporting with patches last month. As that deadline rolled around, however, Microsoft began offering Windows 10 users an extra year of free updates, so long as they register their PC to an active Microsoft account.

Judging from the comments on last month’s Patch Tuesday post, that registration worked for a lot of Windows 10 users, but some readers reported the option for an extra year of updates was never offered. Nick Carroll, cyber incident response manager at Nightwing, notes that Microsoft has recently released an out-of-band update to address issues when trying to enroll in the Windows 10 Consumer Extended Security Update program.

“If you plan to participate in the program, make sure you update and install KB5071959 to address the enrollment issues,” Carroll said. “After that is installed, users should be able to install other updates such as today’s KB5068781 which is the latest update to Windows 10.”

Chris Goettl at Ivanti notes that in addition to Microsoft updates today, third-party updates from Adobe and Mozilla have already been released. Also, an update for Google Chrome is expected soon, which means Edge will also be in need of its own update.

The SANS Internet Storm Center has a clickable breakdown of each individual fix from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on any updates gone awry.

As always, please don’t neglect to back up your data (if not your entire system) at regular intervals, and feel free to sound off in the comments if you experience problems installing any of these fixes.

[Author’s note: This post was intended to appear on the homepage on Tuesday, Nov. 11. I’m still not sure how it happened, but somehow this story failed to publish that day. My apologies for the oversight.]

These updates fix serious security issues — including one that attackers are already exploiting to take control of Windows systems. By chaining it with other attacks, they can gain full admin access, install malware, steal data, or make deeper changes you wouldn’t normally be able to undo. Run Windows Update today, restart your PC, and check you’re up to date.

What’s been fixed

Microsoft releases important security updates on the second Tuesday of every month—known as “Patch Tuesday.” This month’s patches fix critical flaws in Windows 10, Windows 11, Windows Server, Office, and related services.

Particularly noteworthy are some critical Remote Code Execution (RCE) bugs in Microsoft Graphics and Office that can allow attackers to run malicious code just by convincing someone to open a booby-trapped file or document.

A “zero-day” is a software flaw that attackers are already exploiting before a fix is available. The name comes from the fact that defenders have zero days to protect themselves—attackers can strike before patches are released. In this month’s update, Microsoft fixed one such vulnerability: CVE-2025-62215, a Windows Kernel Elevation of Privilege (EoP) flaw.

It lets an attacker who already has local access to a device gain higher, admin-level permissions by exploiting what’s known as a “race condition.” A race condition vulnerability happens when different programs or processes try to use the same resource at the same time without proper coordination. During that brief window of confusion, attackers can slip through and exploit the system.

Attackers need to combine this vulnerability with other attack methods. Once they’ve compromised a system, they use this vulnerability to escalate privileges and gain admin-level rights.

Another critical vulnerability worth noting is CVE-2025-60724, which comes with a CVSS score of 9.8 out of 10. It’s a heap-based buffer overflow in the GDI+ Microsoft Graphics Component, which allows an unauthorized attacker to run malicious code over a network.

A buffer overflow happens when software writes more data to memory than it can handle, potentially overwriting other areas and injecting malicious code. In the case of CVE-2025-60724, Microsoft warns that attackers could exploit the flaw by convincing a victim to download and open a document that contains a specially crafted metafile. In more advanced attacks, the same vulnerability could be triggered remotely by uploading a malicious file to a vulnerable web service.

How to apply fixes and check you’re protected

These updates fix security problems and keep your Windows PC protected. Here’s how to make sure you’re up to date:

1. Open Settings

• Click the Start button (the Windows logo at the bottom left of your screen).
• Click on Settings (it looks like a little gear).

2. Go to Windows Update

• In the Settings window, select Windows Update (usually at the bottom of the menu on the left).

3. Check for Updates

• Click the button that says Check for updates.
• Windows will search for the latest Patch Tuesday updates for November 2025.

If you have selected automatic updates earlier, you may see this:

• Which means all you have to do is restart your system and you’re done updating.
• If not, continue with the below.

4. Download and Install

• If updates are found, they’ll start downloading right away. Once complete, you’ll see a button that says Install or Restart now.
• Click Install if needed and follow any prompts. Your computer will usually need a restart to finish the update. If it does, click Restart now.

5. Double-check you’re up to date

• After restarting, go back to Windows Update and check again. If it says You’re up to date, you’re all set!

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Microsoft’s November Patch Tuesday release for 2025 has delivered fixes for 63 security flaws across its software portfolio, including one zero-day vulnerability already being exploited in the wild. The company’s monthly update also contains four “Critical” vulnerabilities, two involving remote code execution (RCE), one linked to privilege escalation, and another tied to information disclosure.  This month’s update addresses vulnerabilities across a wide range of Microsoft products and services. Although the number of vulnerabilities is lower compared to recent months, the presence of an active zero-day makes November’s cycle critical for administrators. Microsoft noted that some of the “Important” rated flaws could still be leveraged in complex attack chains, particularly those affecting widely deployed components like Office, Windows Kernel, and Azure services. 

Actively Exploited Zero-Day: CVE-2025-62215 

The most urgent issue this month is CVE-2025-62215, an Elevation of Privilege vulnerability in the Windows Kernel. According to Microsoft, the flaw arises from a race condition that allows an authenticated attacker to gain SYSTEM-level privileges on affected systems.  In Microsoft’s technical explanation, “concurrent execution using a shared resource with improper synchronization” could let an attacker win a race condition and escalate privileges locally. This vulnerability was discovered by the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC). While the company has confirmed that it is being exploited in the wild, it has not provided details about the attack methods or affected threat actors.  The vulnerability notes a recurring challenge for Windows systems: race conditions within kernel operations can provide attackers with direct pathways to full administrative control if not properly mitigated. Patching this CVE should therefore be a top priority for enterprise and government environments. 

Other High-Severity CVEs and Products Affected 

Beyond the zero-day, four additional vulnerabilities have been classified as Critical. These include remote code execution vulnerabilities in components like Microsoft Office and Visual Studio, which could allow attackers to execute malicious code if users open specially crafted files or interact with compromised projects. 

• CVE-2025-62199: A critical RCE vulnerability in Microsoft Office that can trigger upon viewing or opening a malicious document. This flaw is particularly dangerous because it can be exploited through the Outlook Preview Pane, requiring no additional user interaction. 
• CVE-2025-60724: A heap-based buffer overflow in the Microsoft Graphics Component (GDI+) that could potentially allow remote code execution across multiple applications. 
• CVE-2025-62214: A Visual Studio CoPilot Chat extension flaw enabling remote code execution through a complex multi-stage exploitation chain involving prompt injection and build triggering. 
• CVE-2025-59499: An elevation of privilege issue in Microsoft SQL Server that enables attackers to execute arbitrary Transact-SQL commands with elevated permissions. 

The November Patch Tuesday also covers vulnerabilities across a variety of Microsoft services, including Azure Monitor Agent, Windows DirectX, Windows OLE, Dynamics 365, OneDrive for Android, and several networking components such as WinSock and RRAS (Routing and Remote Access Service).  While five of these vulnerabilities are rated “Critical,” most are considered “Important,” reflecting Microsoft’s evaluation of exploitation complexity and impact. Nonetheless, even lower-rated CVEs can pose severe threats when combined with social engineering or used in chained attacks. 

Windows 11 Updates and Lifecycle Changes 

Alongside security fixes, the November 2025 Windows 11 Patch Tuesday (build 26200.7121, update KB5068861) introduces new features and UI enhancements. These include a redesigned Start menu that allows more app pinning, a customizable “All Apps” view, and visual changes to the Taskbar’s battery icon, which can now display color indicators and percentage values.  The update also resolves several performance and stability issues, such as Task Manager continuing to run in the background after closure, and connectivity problems in certain gaming handheld devices. Storage reliability, HTTP request parsing, and voice access setup have also been improved.  Additionally, this update coincides with the end of support for Windows 11 Home and Pro version 23H2, making a small but notable shift in Microsoft’s lifecycle policy. Users running older CPUs that lack support for the new instruction sets required by Windows 11 24H2 may need to consider hardware upgrades or extended support programs. 

The Importance of Prompt Patching 

November’s updates, though fewer in number, address several vulnerabilities with serious potential consequences if left unpatched. Administrators are urged to prioritize systems exposed to the internet or running affected components, especially those related to the Windows Kernel, Microsoft Office, and Visual Studio.  With one confirmed exploited zero-day and multiple critical RCE vulnerabilities, Microsoft Patch Tuesday for November 2025 serves as a reminder that timely patch deployment remains one of the most effective defenses against cyber threats. Organizations should also monitor system logs and intrusion detection systems for signs of exploitation and ensure that legacy or unsupported devices receive compensating controls.  The November Patch Tuesday highlights the nature of vulnerabilities that can harm even the most protected systems. With an actively exploited zero-day and several critical vulnerabilities addressed, timely patching remains essential for reducing cyber risk.  To strengthen defenses beyond standard patch cycles, organizations can leverage Cyble’s Vulnerability Management platform. Cyble continuously monitors emerging exploits and zero-day vulnerabilities, providing in-depth intelligence that helps teams prioritize patching by risk level and uncover issues not listed even in the most popular databases. Its insights into exploitation methods, dark web chatter, and mitigation options enable proactive threat prevention. Want to find vulnerabilities before threat actors do?   Schedule a personalized demo today and see how Cyble can enhance your organization’s security posture.