As 2025 comes to an end, Microsoft has published its Patch Tuesday Security Updates. The November release contains 63 CVEs, including 5 Critical and 59 Important severity vulnerabilities, which is a relief for patch managers compared to the 177 CVEs addressed in the previous patch Tuesday. The overall figure excludes multiple fixes for Azure Linux (Mariner) and a few browser vulnerabilities, all of which were individually disclosed and addressed earlier this month. Although no new advisories were published this month, a revision was made to ADV990001 for servicing stack updates. The patch portfolio spans Windows Kernel, Office, Azure Monitor Agent, Visual Studio, Windows Subsystem for Linux GUI, etc, signaling a broad attack surface to defend.
The crown jewel of this patch Tuesday is CVE-2025-62215, a Windows Kernel elevation of privilege vulnerability. It involves a race condition, where concurrent code execution on a shared resource lacks proper synchronization. For attackers, this is a timing game: win the race condition, and you can escalate local privileges to SYSTEM level, effectively taking over the device. Microsoft classifies this flaw as “actively exploited in the wild,” but it is not publicly known at the time of release.
The update also fixes a heap-based buffer overflow vulnerability in GDI+ (CVE-2025-60724), a graphics component used in Windows, which could be exploited by tricking users into downloading and opening crafted metafiles. DirectX graphics also feature an elevation of privilege bug (CVE-2025-60716) involving a similar race condition. This use-after-free vulnerability may allow an authenticated local attacker to escalate privileges by exploiting a race condition. Upon successful exploitation, the attacker could gain SYSTEM-level control of the machine.
Then there’s the Microsoft Office use-after-free vulnerability (CVE-2025-62199), allowing local code execution by opening a malicious document. This vulnerability, classified as remote code execution, can be confusing due to its name; remote here refers to the attacker’s location, not how the exploit works. In reality, the attack requires code to run locally on the victim’s machine, sometimes referred to as Arbitrary Code Execution (ACE). So, while the attacker is remote, exploitation involves local execution after the user opens a malicious document.
Microsoft Visual Studio is not off the hook, with a critical remote code execution vulnerability (CVE-2025-62214) allowing authenticated attackers to execute arbitrary code locally. Even niche software like Nuance PowerScribe 360 gets attention (CVE-2025-30398), with an information disclosure flaw potentially leaking sensitive server data. It could be exploited by making an API call to a specific endpoint.
Microsoft’s own Security Update Guide provides detailed breakdowns of impacted products and versions, recommending that patches be applied immediately. In other words, the race condition in Windows kernel privilege elevation should be the opposite of a race for your patching schedule. The last Patch Tuesday of this year will be scheduled for December 9. Until then, keep your systems up to date.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
