Microsoft marked the penultimate Patch Tuesday of 2025 with an update lighter than of late, addressing a mere 63 common vulnerabilities and exposures (CVEs) across its product estate – a far cry from many of its recent drops averaging well over 100 – and a solitary zero-day flaw.
Tracked as CVE-2025-62215, this month’s single zero-day is an elevation of privilege (EoP) vulnerability in the Windows Kernel that sits at the core of Microsoft’s operating system. It carries a CVSS score of just 7.0, and is not rated critical in its severity – however, exploitation has been observed in the wild, although no public proof-of-concept has yet been released.
Ben McCarthy, lead cyber security engineer at Immersive, explained that the root cause of the issue stems from two combined weaknesses: one a race condition in which more than one process tries to access shared data and change it concurrently, the other a double free memory management error.
“An attacker with low-privilege local access can run a specially crafted application that repeatedly attempts to trigger this race condition,” he explained. “The goal is to get multiple threads to interact with a shared kernel resource in an unsynchronised way, confusing the kernel’s memory management and causing it to free the same memory block twice.
“This successful double-free corrupts the kernel heap, allowing the attacker to overwrite memory and hijack the system’s execution flow.
“Organisations must prioritise applying the patch for this vulnerability,” added McCarthy. “While a 7.0 CVSS score might not always top a patch list, the active exploitation status makes it a critical priority.
“A successful exploit grants the attacker System privileges, allowing them to completely bypass endpoint security, steal credentials, install rootkits and perform other malicious actions. This is a critical link in an attacker’s post-exploitation playbook.”
Business impacts
In the real world, said Mike Walters, president and co-founder of Action1, there are three core business impacts that would potentially arise from a successful compromise via CVE-2025-62215. He highlighted the possibility of mass credential exposure arising from the compromise of critical file servers, lateral movement and ransomware deployment, and regulatory, financial and reputational harm from data leakage or other operational disruption.
“Exploitation is complex, but a functional exploit seen in the wild raises urgency, since skilled actors can reliably weaponise this in targeted campaigns,” added Walters.
Also high on the agenda for November is CVE-2025-60724, an RCE vulnerability in Graphics Device Interface Plus (GDI+), which carries a CVSS score of 9.8. GDI+ is a relatively low-level component, but is responsible for rendering 2D graphics, images and text, and therefore provides core functionality for multiple Microsoft applications – and countless third-party programs, too.
Adam Barnett, Rapid7 lead software engineer, said this was as close to a zero-day as it was possible to get, and likely to affect just about every asset running Microsoft software. “In the worst-case scenario, an attacker could exploit this vulnerability by uploading a malicious document to a vulnerable web service,” he said.
“The advisory doesn’t spell out the context of code execution, but if all the stars align for the attacker, the prize could be remote code execution as System via the network without any need for an existing foothold. While this vuln almost certainly isn’t wormable, it’s clearly very serious and is surely a top priority for just about anyone considering how to approach this month’s patches.”
Action1’s Walters added: “This is emergency-level: a network-reachable RCE with no user interaction and low attack complexity is among the most dangerous bugs. Server compromise, tenant impact in multi-tenant systems, and the potential for rapid mass exploitation make this a top priority.
“Exploitation may take time to perfect because attackers must build reliable allocator and interpreter manipulations that bypass mitigations like CFG, ASLR and DEP. Still, GDI+ and image parsing bugs have a history of being weaponised quickly.”
Critically acclaimed bugs
Finally, the docket for security teams this month includes four critical vulnerabilities, highlighted by Dustin Childs of Trend Micro’s Zero Day Initiative. These are CVE-2025-30398, a third-party information disclosure flaw in Nuance PowerScribe 360; CVE-2025-60716, an EoP flaw in DirectX Graphics Kernel; CVE-2025-62199, an RCE flaw in Microsoft Office; and CVE-2025-62214, another RCE flaw in Visual Studio.
