Patch Tuesday: Microsoft fixes actively exploited Windows kernel vulnerability (CVE-2025-62215)

Microsoft has delivered a rather light load of patches for November 2025 Patch Tuesday: some 60+ vulnerabilities have received a fix, among them an actively exploited Windows Kernel flaw (CVE-2025-62215).

CVE-2025-62215

CVE-2025-62215 is a memory corruption issue that stems from “concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Kernel”, which that allows local elevation of privileges (to SYSTEM).

Exploitation in the wild was flagged by Microsoft’s Threat Intelligence Center (MSTIC) and its Security Response Center (MSRC), likely in limited attacks, since exploit code is functional but not widely available.

“It’s also interesting to note there’s a race condition here, and it shows that some race conditions are more reliable than others. Bugs like these are often paired with a code execution bug by malware to completely take over a system,” noted Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative.

Chris Goettl, VP of Security Product Management at Ivanti, pointed out that  the vulnerability affects all currently supported Windows OS editions and Windows 10 Extended Security Updates (ESU), which means the risk of running Windows 10 past the EoL without ESU is not hypothetical.

“Ensure you are subscribing to Windows 10 ESU and providing additional mitigations where possible,” he advised.

Microsoft has also pushed out an out-of-band update for consumer devices that are not enrolled in the Extended Security Updates (ESU) program for Windows 10. It fixes an issue that may result in the ESU enrollment wizard failing during the enrollment process.

Goettl noted that there are other Windows products that will no longer be supported or will be supported for a short while more.

“Exchange Server, for one, is getting some additional attention. Microsoft announced a 6-month ESU option for Exchange 2016/2019 servers for customers who need the extension. Their guidance, however, is not to rely on this program and to make every attempt to move off of Exchange and move to Exchange SE in time.”

Windows 11 Home and Pro 23H2 have reached their “End of Support” date.

Other vulnerabilities of note

CVE-2025-60724 is a heap-based buffer overflow bug in Graphics Device Interface Plus (GDI+), a subsystem used in Windows applications to render 2D vector graphics, images, and text.

“An attacker could trigger this vulnerability by convincing a victim to download and open a document that contains a specially crafted metafile. In the worst-case scenario, an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile without user interaction,” Microsoft explained.

The vulnerability is “critical”, as it can lead to remote code execution without any user interaction and can be triggered by unauthenticated attackers in low-complexity attacks. Still, Microsoft assess that it’s less likely to be exploited.

“While this vuln almost certainly isn’t wormable, it’s clearly very serious and is surely a top priority for just about anyone considering how to approach this month’s patches,” Adam Barnett, lead software engineer at Rapid7, commented.

CVE-2025-62199, a use-after-free flaw in Microsoft Office, can be exploited by attackers to achieve code execution on vulnerable systems.

Exploitation relies on the user being tricked into downloading and opening a malicious file, Microsoft pointed out, but also stated that Preview Pane is an attack vector.

“This certainly increases the probability of real-world exploitation, since there’s no need for the attacker to craft a way around those pesky warnings about enabling dangerous content. Just scrolling through a list of emails in Outlook could be enough,” Rapid7’s Barnett noted.

CVE-2025-62222 affects Agentic AI and Visual Studio Code and could allow an unauthorized attacker to execute code over a network.

“The vulnerability has been identified and patched in the Visual Studio Code CoPilot Chat Extension. The attack chain here is a novel and concerning one that targets the developer’s trusted environment,” says Ben McCarthy, lead cyber security engineer at Immersive.

“An attacker crafts a malicious GitHub issue within a repository. The description of this issue contains the hidden, unsanitized command. The attacker must then convince the developer to interact with this specific issue in a non-standard way: by ‘enabling a particular mode on the attacker’s crafted issue.’ This user action causes the extension to read and execute the malicious issue description. This triggers the command injection flaw, leading to full Remote Code Execution in the context of the user.”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!