Patch Tuesday - November 2025

Microsoft is publishing 66 new vulnerabilities today, which is far fewer than we’ve come to expect in recent months. There’s a lone exploited-in-the-wild zero-day vulnerability, which Microsoft assesses as critical severity, although there’s apparently no public disclosure yet. Three critical remote code execution (RCE) vulnerabilities are patched today; happily, Microsoft currently assesses all three as less likely to see exploitation. Five browser vulnerabilities and a dozen or so fixes for Azure Linux (aka Mariner) have already been published separately this month, and are not included in the total.

Windows GDI+: critical 0-day RCE

Faced with a fresh stack of Patch Tuesday vulns, there are a few different ways to prioritize our analysis. Do we start with vulns exploited in the wild? Pre-authentication RCEs? The vuln with the highest CVSS base score? The vuln which is likely to affect just about every asset running Microsoft software? Any of these are sensible avenues of approach, and today, all roads lead to CVE-2025-60724. As the advisory notes, in the worst-case scenario, an attacker could exploit this vulnerability by uploading a malicious document to a vulnerable web service. The advisory doesn’t spell out the context of code execution, but if all the stars align for the attacker, the prize could be remote code execution as SYSTEM via the network without any need for an existing foothold. While this vuln almost certainly isn’t wormable, it’s clearly very serious and is surely a top priority for just about anyone considering how to approach this month’s patches.

The weakness underlying CVE-2025-60724 is CWE-122: Heap-based buffer overflow, a concept which celebrated its 50th birthday several years ago. As the authors of the original 1972 paper noted: “If the code makes use of an internal buffer, there is a possibility that a user could input enough data to overwrite other portions of the program's private storage.” Regarding computer security in general, they opined that “this problem is neither hopeless nor solved. It is, however, perfectly clear [...] that solutions to the problem will not occur spontaneously, nor will they come from the various well-intentioned attempts to provide security as an add-on to existing systems.”

Office: critical ACE

Once again, we find ourselves wondering: “when is remote code execution really remote?” CVE-2025-62199 describes a critical RCE vulnerability in Microsoft Office, where exploitation relies on the user downloading and opening a malicious file. The attacker is remote, and that’s enough to satisfy the definition, even if the action is taken on the local system by the unwitting user. Anyone hoping that the Preview Pane is not a vector will be sadly disappointed, and this certainly increases the probability of real-world exploitation, since there’s no need for the attacker to craft a way around those pesky warnings about enabling dangerous content. Just scrolling through a list of emails in Outlook could be enough.

Visual Studio Copilot Extension: critical RCE

Some attacks are straightforward, with only a single step needed to reach the finish line. Others, like Visual Studio critical RCE CVE-2025-62214, require that the attacker execute a complex chain of events. In this case, exploitation demands multi-stage abuse of the Visual Studio Copilot extension, including prompt injection, Agent interaction, and triggering a build. The advisory doesn’t describe the context of code execution. If the prize is simply code execution on an asset in the context of the user, there’s no obvious advancement for the attacker, since exploitation already requires code execution on the asset by the attacker or the targeted user. The brief description of the attack chain does mention that the attacker would need to trigger a build. On that basis, possible outcomes might include execution in an elevated context, or compromised build artifacts, although the advisory does not provide enough information to be certain either way.

SQL Server: critical EoP

SQL Server admins should take note of CVE-2025-59499, which describes an elevation of privilege (EoP) vulnerability. Although some level existing privileges are required, successful exploitation will permit an attacker to run arbitrary Transact-SQL (T-SQL) commands. T-SQL is the language which SQL Server databases and clients use to communicate with one another. Although the default configuration for SQL Server disables the xp_cmdshell functionality which allows direct callouts to the underlying OS, there’s more than one way to shine a penny, and the only safe assumption here is that exploitation will lead to code execution in the context of SQL Server itself. Patches are available for all supported versions of SQL Server.

Microsoft lifecycle update

Following the sweeping lifecycle changes seen in October 2025, Microsoft is taking it fairly easy this month. The only significant transition today is the end of support for Windows 11 Home and Pro 23H2. Unlike the demise of Windows 10, this much smaller change won’t affect most people; a small number of older CPUs might not make the cut, since Windows 11 24H2 introduces a requirement for a couple of newer CPU instruction sets. Microsoft provides lists of compatible Intel, AMD, and Qualcomm CPU series.

Summary charts

Summary tables

Azure vulnerabilities

CVE

Title

Exploited?

Publicly disclosed?

CVSSv3 base score

Azure Monitor Agent Remote Code Execution Vulnerability

No

No

7.3

Browser vulnerabilities

CVE

Title

Exploited?

Publicly disclosed?

CVSSv3 base score

Chromium: CVE-2025-12729 Inappropriate implementation in Omnibox

No

No

N/A

Chromium: CVE-2025-12728 Inappropriate implementation in Omnibox

No

No

N/A

Chromium: CVE-2025-12727 Inappropriate implementation in V8

No

No

N/A

Chromium: CVE-2025-12726 Inappropriate implementation in Views.

No

No

N/A

Chromium: CVE-2025-12725 Out of bounds write in WebGPU

No

No

N/A

Developer Tools vulnerabilities

CVE

Title

Exploited?

Publicly disclosed?

CVSSv3 base score

Agentic AI and Visual Studio Code Remote Code Execution Vulnerability

No

No

8.8

Microsoft Visual Studio Code CoPilot Chat Extension Security Feature Bypass Vulnerability

No

No

6.8

Visual Studio Remote Code Execution Vulnerability

No

No

6.7

GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability

No

No

5

Mariner Open Source Software vulnerabilities

CVE

Title

Exploited?

Publicly disclosed?

CVSSv3 base score

containerd affected by a local privilege escalation via wide permissions on CRI directory

No

No

7.3

missing SFTP host verification with wolfSSH

No

No

6.8

containerd CRI server: Host memory exhaustion through Attach goroutine leak

No

No

N/A

Microsoft Dynamics vulnerabilities

CVE

Title

Exploited?

Publicly disclosed?

CVSSv3 base score

Dynamics 365 Field Service (online) Spoofing Vulnerability

No

No

8.7

Dynamics 365 Field Service (online) Spoofing Vulnerability

No

No

8.7

Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability

No

No

6.5

Microsoft Office vulnerabilities

CVE

Title

Exploited?

Publicly disclosed?

CVSSv3 base score

Microsoft SharePoint Remote Code Execution Vulnerability

No

No

8

Microsoft Office Remote Code Execution Vulnerability

No

No

7.8

Microsoft Office Remote Code Execution Vulnerability

No

No

7.8

Microsoft Office Remote Code Execution Vulnerability

No

No

7.8

Microsoft Excel Remote Code Execution Vulnerability

No

No

7.8

Microsoft Excel Remote Code Execution Vulnerability

No

No

7.8

Microsoft Excel Remote Code Execution Vulnerability

No

No

7.8

Microsoft Excel Remote Code Execution Vulnerability

No

No

7.8

Microsoft Excel Information Disclosure Vulnerability

No

No

7.1

Microsoft Excel Information Disclosure Vulnerability

No

No

7.1

Microsoft OneDrive for Android Elevation of Privilege Vulnerability

No

No

6.5

Microsoft Excel Information Disclosure Vulnerability

No

No

5.5

Microsoft Excel Information Disclosure Vulnerability

No

No

4.3

Open Source Software vulnerabilities

CVE

Title

Exploited?

Publicly disclosed?

CVSSv3 base score

Windows Subsystem for Linux GUI Remote Code Execution Vulnerability

No

No

8.8

Libxml2: namespace use-after-free in xmlsettreedoc() function of libxml2

No

No

7.5

KubeVirt Arbitrary Container File Read

No

No

6.5

can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled

No

No

5.5

An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead to denial of service (Out-of-Memory crash).

No

No

5.5

mruby array.c ary_fill_exec out-of-bounds write

No

No

5.3

KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation

No

No

5.3

KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes

No

No

5

KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing

No

No

4.7

KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer

No

No

4.7

crypto: rng - Ensure set_ent is always present

No

No

4.2

runc: LSM labels can be bypassed with malicious config using dummy procfs files

No

No

N/A

runc container escape via "masked path" abuse due to mount race conditions

No

No

N/A

container escape due to /dev/console mount and related races

No

No

N/A

KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes

No

No

N/A

Other vulnerabilities

CVE

Title

Exploited?

Publicly disclosed?

CVSSv3 base score

Nuance PowerScribe 360 Information Disclosure Vulnerability

No

No

8.1

SQL Server vulnerabilities

CVE

Title

Exploited?

Publicly disclosed?

CVSSv3 base score

Microsoft SQL Server Elevation of Privilege Vulnerability

No

No

8.8

System Center vulnerabilities

CVE

Title

Exploited?

Publicly disclosed?

CVSSv3 base score

Configuration Manager Elevation of Privilege Vulnerability

No

No

6.7

Windows vulnerabilities

CVE

Title

Exploited?

Publicly disclosed?

CVSSv3 base score

Windows WLAN Service Elevation of Privilege Vulnerability

No

No

7.8

Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability

No

No

7.8

Windows Administrator Protection Elevation of Privilege Vulnerability

No

No

7.8

Windows Administrator Protection Elevation of Privilege Vulnerability

No

No

7.8

Multimedia Class Scheduler Service (MMCSS) Driver Elevation of Privilege Vulnerability

No

No

7.8

Host Process for Windows Tasks Elevation of Privilege Vulnerability

No

No

7.8

Windows Speech Runtime Elevation of Privilege Vulnerability

No

No

7

Windows Speech Recognition Elevation of Privilege Vulnerability

No

No

7

Windows Kernel Elevation of Privilege Vulnerability

Yes

No

7

Windows Broadcast DVR User Service Elevation of Privilege Vulnerability

No

No

7

Windows Broadcast DVR User Service Elevation of Privilege Vulnerability

No

No

7

Microsoft Wireless Provisioning System Elevation of Privilege Vulnerability

No

No

7

Microsoft Wireless Provisioning System Elevation of Privilege Vulnerability

No

No

7

DirectX Graphics Kernel Elevation of Privilege Vulnerability

No

No

7

Storvsp.sys Driver Denial of Service Vulnerability

No

No

6.5

DirectX Graphics Kernel Denial of Service Vulnerability

No

No

6.3

Windows Speech Recognition Information Disclosure Vulnerability

No

No

5.5

Windows License Manager Information Disclosure Vulnerability

No

No

5.5

Windows License Manager Information Disclosure Vulnerability

No

No

5.5

Windows Hyper-V Information Disclosure Vulnerability

No

No

5.5

Windows ESU vulnerabilities

CVE

Title

Exploited?

Publicly disclosed?

CVSSv3 base score

Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

No

No

8

Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

No

No

8

Windows Transport Driver Interface (TDI) Translation Driver Elevation of Privilege Vulnerability

No

No

7.8

Windows Smart Card Reader Elevation of Privilege Vulnerability

No

No

7.8

Windows Remote Desktop Services Elevation of Privilege Vulnerability

No

No

7.8

Windows OLE Remote Code Execution Vulnerability

No

No

7.8

Windows Common Log File System Driver Elevation of Privilege Vulnerability

No

No

7.8

Windows Client-Side Caching Elevation of Privilege Vulnerability

No

No

7.8

Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability

No

No

7.8

Customer Experience Improvement Program (CEIP) Elevation of Privilege Vulnerability

No

No

7.8

Windows Kerberos Elevation of Privilege Vulnerability

No

No

7.5

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

No

No

7

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

No

No

7

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

No

No

7

DirectX Graphics Kernel Elevation of Privilege Vulnerability

No

No

7

Windows Routing and Remote Access Service (RRAS) Denial of Service Vulnerability

No

No

5.5

Windows Bluetooth RFCOM Protocol Driver Information Disclosure Vulnerability

No

No

5.5

Windows Microsoft Office ESU vulnerabilities

CVE

Title

Exploited?

Publicly disclosed?

CVSSv3 base score

GDI+ Remote Code Execution Vulnerability

No

No

9.8