Full Report
5Critical58Important0Moderate0LowMicrosoft addresses 63 CVEs including one zero-day vulnerability which was exploited in the wild.Microsoft patched 63 CVEs in its November 2025 Patch Tuesday release, with five rated critical, and 58 rated as important.This month’s update includes patches for:Azure Monitor AgentCustomer Experience Improvement Program (CEIP)Dynamics 365 Field Service (online)GitHub Copilot and Visual Studio CodeHost Process for Windows TasksMicrosoft Configuration ManagerMicrosoft Dynamics 365 (on-premises)Microsoft Graphics ComponentMicrosoft OfficeMicrosoft Office ExcelMicrosoft Office SharePointMicrosoft Office WordMicrosoft Streaming ServiceMicrosoft Wireless Provisioning SystemMultimedia Class Scheduler Service (MMCSS)Nuance PowerScribeOneDrive for AndroidRole: Windows Hyper-VSQL ServerStorvsp.sys DriverVisual StudioVisual Studio Code CoPilot Chat ExtensionWindows Administrator ProtectionWindows Ancillary Function Driver for WinSockWindows Bluetooth RFCOM Protocol DriverWindows Broadcast DVR User ServiceWindows Client-Side Caching (CSC) ServiceWindows Common Log File System DriverWindows DirectXWindows KerberosWindows KernelWindows License ManagerWindows OLEWindows Remote DesktopWindows Routing and Remote Access Service (RRAS)Windows Smart CardWindows SpeechWindows Subsystem for Linux GUIWindows TDX.sysWindows WLAN ServiceElevation of privilege (EoP) vulnerabilities accounted for 46% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 25.4%.ImportantCVE-2025-62215 | Windows Kernel Elevation of Privilege VulnerabilityCVE-2025-62215 is an EoP vulnerability in the Windows Kernel. It was assigned a CVSSv3 score of 7.0 and rated important. A local, authenticated attacker could exploit this vulnerability by winning a race condition in order to gain SYSTEM privileges. According to Microsoft, this vulnerability was exploited in the wild as a zero-day.Including CVE-2025-62215, there have been 11 EoP vulnerabilities patched in the Windows Kernel in 2025, with five of these included in the October 2025 Patch Tuesday release.CriticalCVE-2025-62199 | Microsoft Office Remote Code Execution VulnerabilityCVE-2025-62199 is a RCE vulnerability in Microsoft Office. It was assigned a CVSSv3 score of 7.8, rated critical and assessed as “Exploitation Less Likely” according to Microsoft’s Exploitability Index. An attacker could exploit this flaw through social engineering by sending the malicious Microsoft Office document file to an intended target. Successful exploitation would grant code execution privileges to the attacker.Despite being flagged as “Less Likely” to be exploited, Microsoft notes that the Preview Pane is an attack vector, which means exploitation does not require the target to open the file.Microsoft patched two additional Microsoft Office RCEs this month. CVE-2025-62205 and CVE-2025-62216 both were assigned CVSSv3 scores of 7.8 and rated as important. CVE-2025-62205 was assessed as “Exploitation Less Likely” while CVE-2025-62216 was assessed as “Exploitation Unlikely.” In contrast to CVE-2025-62199, the preview pane is not an attack vector for these two vulnerabilities.ImportantCVE-2025-60719, CVE-2025-62213, and CVE-2025-62217 | Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityCVE-2025-60719, CVE-2025-62213 and CVE-2025-62217 are EoP vulnerabilities affecting the Ancillary Function Driver for WinSock for Microsoft Windows. All three were assigned CVSSv3 scores of 7.0, were rated as important and assessed as “Exploitation More Likely.” A local, authenticated attacker could exploit these vulnerabilities to elevate to SYSTEM level privileges.CriticalCVE-2025-60724 | GDI+ Remote Code Execution VulnerabilityCVE-2025-60724 is a RCE vulnerability affecting the Windows Graphics Device Interface (GDI). It was assigned a CVSSv3 score of 9.8, rated as critical and assessed as “Exploitation Less Likely.” A remote attacker could exploit this flaw by convincing a victim to download and open a crafted file which could exploit a heap-based buffer overflow in order to execute arbitrary code.Tenable SolutionsA list of all the plugins released for Microsoft’s November 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft's November 2025 Security UpdatesTenable plugins for Microsoft November 2025 Patch Tuesday Security UpdatesJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
# Vulnerability: Windows Kernel Zero-Day Elevation of Privilege (EoP)
## CVE Details
- CVE ID: CVE-2025-62215
- CVSS Score: 7.0 (Important)
- CWE: Not specified
## Affected Systems
- Products: Windows Kernel
- Versions: Not explicitly listed, but affects systems covered by the November 2025 Patch Tuesday updates.
- Configurations: Requires a local, authenticated attacker who can win a race condition.
## Vulnerability Description
This is an Elevation of Privilege (EoP) vulnerability residing in the Windows Kernel. Successful exploitation allows a local, authenticated attacker to escalate their privileges to the highly sensitive SYSTEM level by exploiting a race condition.
## Exploitation
- Status: Exploited in the wild (Zero-Day)
- Complexity: Local, authenticated access required.
- Attack Vector: Local
## Impact
- Confidentiality: Potentially High (due to SYSTEM level access)
- Integrity: Potentially High (due to SYSTEM level access)
- Availability: Potentially High
## Remediation
### Patches
- Microsoft November 2025 Security Update (Specific patch details for CVE-2025-62215 are included in this release).
### Workarounds
- No specific workarounds are mentioned in the context provided, although patching is strongly recommended immediately due to active exploitation.
## Detection
- Detection methods/plugins mentioned reference the general Tenable plugins for the November 2025 release. Organizations should scan immediately following patch application.
## References
- Vendor advisories: hxxps://msrc.microsoft.com/update-guide/en-us/releaseNote/2025-nov
- Tenable plugin search: hxxps://www.tenable.com/plugins/search?q=%22November+2025%22+AND+script_family%3A%28%22Windows%22+OR+%22Windows+%3A+Microsoft+Bulletins%22%29&sort=&page=1
***
# Vulnerability: Microsoft Office Remote Code Execution via Malicious File (Zero-Click Potential)
## CVE Details
- CVE ID: CVE-2025-62199
- CVSS Score: 7.8 (Critical)
- CWE: Not specified
## Affected Systems
- Products: Microsoft Office (specifically files handled by Office)
- Versions: Not explicitly listed.
- Configurations: The vulnerability can potentially be exploited simply by the target system previewing the malicious file without opening it, if the Preview Pane is active.
## Vulnerability Description
This is a Remote Code Execution (RCE) vulnerability in Microsoft Office. An attacker can exploit this by sending a specially crafted Microsoft Office document file to a target. Successful exploitation results in arbitrary code execution under the context of the local user. Microsoft notes that the Preview Pane is an attack vector, meaning the file does not necessarily need to be opened by the user for exploitation to occur.
## Exploitation
- Status: Not exploited in the wild (Assessed as "Exploitation Less Likely")
- Complexity: Medium (Requires social engineering to deliver the file, but exploitation mechanism can be near-automated via preview pane).
- Attack Vector: Adjacent/Local (via file delivery)
## Impact
- Confidentiality: High (Code Execution)
- Integrity: High (Code Execution)
- Availability: High (Code Execution)
## Remediation
### Patches
- Microsoft November 2025 Security Update (Includes patch for CVE-2025-62199).
### Workarounds
- Advise users not to open suspicious Office files.
- Disable the Preview Pane in relevant Office applications if immediate patching is impossible, as the Preview Pane is confirmed as an attack vector.
## Detection
- Detection should focus on identifying the delivery of suspicious Office files to endpoints.
## References
- Vendor advisories: hxxps://msrc.microsoft.com/update-guide/en-us/releaseNote/2025-nov
***
# Vulnerability: GDI+ Heap-Based Buffer Overflow RCE
## CVE Details
- CVE ID: CVE-2025-60724
- CVSS Score: 9.8 (Critical)
- CWE: Heap-based buffer overflow (implied)
## Affected Systems
- Products: Windows Graphics Device Interface (GDI+)
- Versions: Not explicitly listed.
- Configurations: Requires a remote attacker to convince the victim to download and open a crafted file containing malicious graphics data.
## Vulnerability Description
This Critical RCE vulnerability affects the Windows Graphics Device Interface (GDI+). The flaw stems from a heap-based buffer overflow when processing a crafted file. Exploitation grants an attacker the ability to execute arbitrary code remotely.
## Exploitation
- Status: Not exploited in the wild (Assessed as "Exploitation Less Likely")
- Complexity: Medium/High (Requires file delivery and processing of crafted data).
- Attack Vector: Network/Remote (via crafted file download)
## Impact
- Confidentiality: High (Code Execution)
- Integrity: High (Code Execution)
- Availability: High (Code Execution)
## Remediation
### Patches
- Microsoft November 2025 Security Update (Includes patch for CVE-2025-60724).
### Workarounds
- No specific workarounds are mentioned. Implement strong controls around file downloads from untrusted sources.
## Detection
- Detection should focus on monitoring unusual activity related to GDI+ processing following file interaction.
## References
- Vendor advisories: hxxps://msrc.microsoft.com/update-guide/en-us/releaseNote/2025-nov
***
# Vulnerability: Multiple Ancillary Function Driver for WinSock EoP Vulnerabilities
## CVE Details
- CVE ID: CVE-2025-60719, CVE-2025-62213, CVE-2025-62217
- CVSS Score: 7.0 (Important)
- CWE: Not specified
## Affected Systems
- Products: Windows Ancillary Function Driver for WinSock
- Versions: Not specified.
- Configurations: Requires a local, authenticated attacker.
## Vulnerability Description
These three distinct vulnerabilities are all Elevation of Privilege flaws affecting the Windows Ancillary Function Driver for WinSock. A local, authenticated attacker can exploit any of these race conditions to escalate privileges to the SYSTEM security context. Microsoft assesses exploitation for all three as "More Likely."
## Exploitation
- Status: Not actively noted as exploited, but rated "Exploitation More Likely."
- Complexity: Local, authenticated access required.
- Attack Vector: Local
## Impact
- Confidentiality: Potentially High
- Integrity: Potentially High
- Availability: Potentially High
## Remediation
### Patches
- Microsoft November 2025 Security Update (Includes patches for all three CVEs).
### Workarounds
- No specific workarounds are mentioned.
## Detection
- Monitor for unexpected privilege changes on affected systems.
## References
- Vendor advisories: hxxps://msrc.microsoft.com/update-guide/en-us/releaseNote/2025-nov
***
## General Summary of November 2025 Patch Tuesday
Microsoft addressed **63 CVEs** in total, consisting of **5 Critical** and **58 Important** vulnerabilities. **Elevation of Privilege (EoP)** vulnerabilities constituted 46% of the issues patched, followed by Remote Code Execution (RCE) at 25.4%. Of particular note, **CVE-2025-62215 (Windows Kernel EoP)** was actively exploited in the wild prior to patching.
**Recommendation:** Apply all available patches immediately, prioritizing those rated Critical and the zero-day (CVE-2025-62215). Regularly scan the environment to confirm patch deployment.
**Affected Components Included (but not limited to):** Azure Monitor Agent, Dynamics 365, GitHub Copilot/VS Code, Microsoft Office, SQL Server, Windows Kernel, Windows Routing and Remote Access Service (RRAS), and various Windows drivers.