Patch Now: Microsoft Flags Zero-Day & Zero-Click Bugs TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityOWASP Highlights Supply Chain Risks in New Top 10 ListOWASP Highlights Supply Chain Risks in New Top 10 ListbyJai Vijayan, Contributing WriterNov 10, 20255 Min ReadCyberattacks & Data BreachesGlassWorm Returns, Slices Back into VS Code ExtensionsGlassWorm Returns, Slices Back into VS Code ExtensionsbyAlexander CulafiNov 10, 20253 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryVulnerabilities & ThreatsCyber RiskThreat IntelligenceApplication SecurityNewsPatch Now: Microsoft Flags Zero-Day & Critical Zero-Click BugsSecurity teams may have a less burdensome rollout in November after October's Goliath Patch Tuesday, but shouldn't wait on a few top-priority fixes.Jai Vijayan, Contributing WriterNovember 11, 20254 Min ReadSource: Santi Rodriguez via Alamy Stock PhotoWith 63 unique CVEs, Microsoft's November security update is considerably slimmer than the company's record-busting patch rollout last month, which contained fixes for as many as 175 vulnerabilities.However, it's not one to sleep on:  November's rollout includes fixes for one actively exploited flaw, five that Microsoft rated as more likely to be targeted, and a single critical vulnerability, alongside the usual mix of privilege escalation, remote code execution (RCE), information disclosure, and denial-of-service (DoS) issues.The zero-day bug that attackers are already exploiting is CVE-2025-62215 (CVSS 7.5). It affects the Windows Kernel, and it allows attackers who have already compromised a system to escalate privileges and gain admin-level rights. Microsoft identified the vulnerability as being tied to a race condition, which is something that allows attackers to manipulate the timing of specific operations."While we don’t have the full scope regarding exploitation, based on the fact that this is a privilege escalation flaw, it was likely used as part of post-exploitation activity by an attacker," said Satam Narang, staff research engineer at Tenable in prepared comments — which means that the attacker leveraged another method to gain initial access. It's a comparative rarity, too: "This is one of 11 privilege escalation bugs patched in the Windows Kernel in 2025," he added.Related:Ollama, Nvidia Flaws Put AI Infrastructure at RiskA Single Critical Security Bug in November's Patch TuesdayWhile Microsoft assessed most of the bugs in the November update — including the one that attackers are actively exploiting — as being of medium severity ("important" in Microsoft parlance), there is the aforementioned critical vulnerability, CVE-2025-60724 (CVSS 9.8). It's an RCE flaw in the GDI+ Windows graphics component. According to Microsoft, an attacker can trigger the vulnerability on Web services by uploading documents containing a malicious metafile. A successful exploit could allow an attacker to execute arbitrary code or steal data from an affected system without any user involvement, the company warned."The patch for this should be an organization's highest priority," advised Ben McCarthy, lead cybersecurity engineer at Immersive. "While Microsoft assesses this as 'exploitation less likely,' a 9.8-rated flaw in a ubiquitous library like GDI+ is a critical risk," he said in an emailed comment.Patch Now: CVE-2025-60704 Means Broad Risk to EnterprisesAnother flaw that security teams should prioritize when patching has potentially broad ranging impact: CVE-2025-60704 (CVSS 7.5), a medium-severity elevation-of-privilege bug that affects Windows Kerberos. Researchers at Silverfort, who discovered and reported the bug to Microsoft, have dubbed the vulnerability CheckSum, and perceive it to be more urgent than the severity score alone would suggest. Related:Critical Site Takeover Flaw Affects 400K WordPress Sites"Any organization using Active Directory, with the Kerberos delegation capability turned on, is impacted," Silverfort said in a blog this week. "This means thousands of companies around the world are affected by this vulnerability." To exploit the vulnerability, an attacker would need initial access to an environment via compromised credentials, Silverfort said. But a successful exploit could enable privilege escalation and lateral movement. "Worse, [cyberattackers] could also gain the ability to impersonate anyone in the company, unlocking untold access or even becoming a domain admin," Silverfort warned.Security researchers also flagged CVE-2025-62220 (CVSS Score: 8.8) as a vulnerability that security teams should get to sooner rather than later. The bug affects Windows Subsystem for Linux GUI and enables RCE. In Microsoft's words, though a successful exploit requires user interaction, "the risk extends beyond local use."  Related:Kimsuky Debuts HTTPTroy Backdoor Against South Korea Users"Because this flaw exists at the interface between Windows and Linux environments, the potential impact extends beyond typical user-level compromises," researchers at Automox said in a blog today. "Attackers who successfully exploit this vector can execute code under the context of the logged-in user or escalate privileges for deeper system access."Also, in the list of bugs that Microsoft identified as more exploitable — and therefore needing prompt attention — are CVE-2025-60719; CVE-2025-62213; and CVE-2025-62217. All three bugs have a severity score of 7.0, affect the Windows Ancillary Function Driver of WinSock, and enable privilege escalation. "If Microsoft thinks an exploit is likely to happen, then organizations should take note," said Nick Carroll, cyber incident response manager at Nightwing. "All three of these vulnerabilities are marked as not requiring user interaction to exploit, and only needing low privileges, which may be part of why Microsoft believes an exploit is more likely to be created for these vulnerabilities.”About the AuthorJai Vijayan, Contributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai Vijayan, Contributing WriterMore InsightsIndustry Reports2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Access More ResearchWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceApplication SecurityOWASP Highlights Supply Chain Risks in New Top 10 ListOWASP Highlights Supply Chain Risks in New Top 10 ListbyJai Vijayan, Contributing WriterNov 10, 20255 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe AI Security GuideExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

Microsoft’s November security update presents a notably leaner patch set compared to the record-breaking October rollout, offering security teams a potentially less burdensome deployment cycle. However, this reduced volume doesn’t diminish the importance of addressing these fixes promptly. The update includes one actively exploited vulnerability, five deemed high-probability targets, and a critical RCE flaw alongside the usual assortment of privilege escalation, denial-of-service, and information disclosure issues.

The most pressing concern is CVE-2025-62215, a privilege escalation vulnerability affecting the Windows Kernel. This flaw exists due to a race condition, allowing attackers who have already compromised a system to elevate their privileges and gain admin-level access. Given the nature of this vulnerability, it was likely leveraged as part of post-exploitation activities by an attacker. This is particularly notable due to the rarity of privilege escalation bugs within the Windows Kernel, with only 11 patched in the Windows Kernel throughout 2025 so far.

However, the critical vulnerability, CVE-2025-60724, presents an elevated risk. This Remote Code Execution (RCE) flaw resides within the Graphics Component (GDI+) and can be triggered by uploading malicious metafile documents, enabling attackers to execute arbitrary code or steal data without user interaction. Microsoft assesses this vulnerability as ‘exploitation less likely’ but still assigns it a 9.8 CVSS score. Ben McCarthy at Immersive highlighted this as “an organization’s highest priority” indicating a significant risk.

Another security concern is CVE-2025-60704, a medium-severity privilege escalation bug impacting Windows Kerberos. Researchers at Silverfort, who discovered and reported this vulnerability, dubbed it “CheckSum” and believe it warrants greater attention than its CVSS score suggests. This vulnerability affects any organization utilizing Active Directory and the Kerberos delegation capability. Thousands of companies globally are affected, raising the potential for widespread exploitation. The vulnerability enables privilege escalation and lateral movement; Silverfort warns that a successful exploit could allow attackers to impersonate any user in the company and gain domain admin rights.

Alongside these critical vulnerabilities, CVE-2025-62213 and CVE-2025-62217—both with a CVSS score of 7.0—are also concerning. These bugs affect the WinSock Driver, facilitating privilege escalation. Microsoft’s assessment that these vulnerabilities are likely to be exploited reinforces the need for swift action.

Finally, CVE-2025-62217—also a 7.0 CVSS score—enables privilege escalation, requiring prompt attention by security teams, as highlighted by Nick Carroll at Nightwing.

These vulnerabilities, alongside the broader landscape of the November update, underscore the importance of proactive security measures.