Nov 12, 2025Ravie LakshmananVulnerability / Patch Tuesday
Microsoft on Tuesday launched patches for 63 new safety vulnerabilities recognized in its software program, together with one which has come below energetic exploitation within the wild.
Of the 63 flaws, 4 are rated Essential and 59 are rated Necessary in severity. Twenty-nine of those vulnerabilities are associated to privilege escalation, adopted by 16 distant code execution, 11 data disclosure, three denial-of-service (DoS), two safety characteristic bypass, and two spoofing bugs.
The patches are along with the 27 vulnerabilities the Home windows maker addressed in its Chromium-based Edge browser for the reason that launch of October 2025’s Patch Tuesday replace.
The zero-day vulnerability that has been listed as exploited in Tuesday’s replace is CVE-2025-62215 (CVSS rating: 7.0), a privilege escalation flaw in Home windows Kernel. The Microsoft Risk Intelligence Middle (MSTIC) and Microsoft Safety Response Middle (MSRC) have been credited with discovering and reporting the problem.
“Concurrent execution utilizing shared useful resource with improper synchronization (‘race situation’) in Home windows Kernel permits a licensed attacker to raise privileges regionally,” the corporate mentioned in an advisory.
That mentioned, profitable exploitation hinges on an attacker who has already gained a foothold on a system to win a race situation. As soon as this criterion is happy, it may allow the attacker to acquire SYSTEM privileges.
“An attacker with low-privilege native entry can run a specifically crafted utility that repeatedly makes an attempt to set off this race situation,” Ben McCarthy, lead cybersecurity engineer at Immersive, mentioned.
“The aim is to get a number of threads to work together with a shared kernel useful resource in an unsynchronized approach, complicated the kernel’s reminiscence administration and inflicting it to free the identical reminiscence block twice. This profitable ‘double free’ corrupts the kernel heap, permitting the attacker to overwrite reminiscence and hijack the system’s execution move.”
It is at present not recognized how this vulnerability is being exploited and by whom, but it surely’s assessed for use as a part of a post-exploitation exercise to escalate their privileges after acquiring preliminary entry by another means, comparable to social engineering, phishing, or exploitation of one other vulnerability, Satnam Narang, senior employees analysis engineer at Tenable, mentioned.
“When chained with different bugs this kernel race is vital: an RCE or sandbox escape can provide the native code execution wanted to show a distant assault right into a SYSTEM takeover, and an preliminary low‑privilege foothold could be escalated to dump credentials and transfer laterally,” Mike Walters, president and co-founder of Action1, mentioned in a press release.
Additionally patched as a part of the updates are two heap-based buffer overflow flaws in Microsoft’s Graphics Part (CVE-2025-60724, CVSS rating: 9.8) and Home windows Subsystem for Linux GUI (CVE-2025-62220, CVSS rating: 8.8) that would end in distant code execution.
One other vulnerability of notice is a high-severity privilege escalation flaw in Home windows Kerberos (CVE-2025-60704, CVSS rating: 7.5) that takes benefit of a lacking cryptographic step to realize administrator privileges. The vulnerability has been codenamed CheckSum by Silverfort.
“The attacker should inject themselves into the logical community path between the goal and the useful resource requested by the sufferer to learn or modify community communications,” Microsoft mentioned. “An unauthorized attacker should look forward to a consumer to provoke a connection.”
Silverfort researchers Eliran Partush and Dor Segal, who found the shortcoming, described it as a Kerberos constrained delegation vulnerability that enables an attacker to impersonate arbitrary customers and achieve management over a complete area via an adversary-in-the-middle (AitM) assault.
An attacker who is ready to efficiently exploit the flaw may escalate privileges and transfer laterally to different machines in a corporation. Extra regarding, menace actors may additionally achieve the power to impersonate any consumer within the firm, permitting them to realize unfettered entry or change into a website administrator.
“Any group utilizing Lively Listing, with the Kerberos delegation functionality turned on, is impacted,” Silverfort mentioned. “As a result of Kerberos delegation is a characteristic inside Lively Listing, an attacker requires preliminary entry to an setting with compromised credentials.”
Software program Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by different distributors over the previous a number of weeks to rectify a number of vulnerabilities, together with —
Adobe
Amazon Net Companies
AMD
Apple
ASUS
Atlassian
AutomationDirect
Bitdefender
Broadcom (together with VMware)
Cisco
Citrix
ConnectWise
D-Hyperlink
Dell
Devolutions
Drupal
Elastic
F5
Fortinet
GitLab
Google Android
Google Chrome
Google Cloud
Grafana
Hitachi Vitality
HP
HP Enterprise (together with Aruba Networking and Juniper Networks)
IBM
Intel
Ivanti
Jenkins
Lenovo
Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Purple Hat, Rocky Linux, SUSE, and Ubuntu
MediaTek
Mitsubishi Electrical
MongoDB
Moxa
Mozilla Firefox and Firefox ESR
NVIDIA
Oracle
Palo Alto Networks
QNAP
Qualcomm
Rockwell Automation
Ruckus Wi-fi
Samba
Samsung
SAP
Schneider Electrical
Siemens
SolarWinds
SonicWall
Splunk
Spring Framework
Supermicro
Synology
TP-Hyperlink
WatchGuard, and
Zoom
