Microsoft Addresses Actively Exploited Windows Kernel Zero-Day (CVE-2025-62215) and 62 Other Flaws in November 2025 Patch Tuesday

Executive Summary

Microsoft's November 2025 Patch Tuesday release addresses 63 security vulnerabilities across its product suite, including a critical zero-day in the Windows Kernel, CVE-2025-62215, which is confirmed to be under active exploitation. This privilege escalation flaw allows an attacker with local access to gain full SYSTEM privileges, making it a prime target for post-compromise activity by ransomware groups and other threat actors. The update also patches four other critical vulnerabilities, including a severe remote code execution (RCE) flaw in GDI+ (CVE-2025-60724, CVSS 9.8). Given the active exploitation of one vulnerability and the critical nature of others, organizations are urged to prioritize the deployment of these patches immediately, particularly on internet-facing and critical systems.

Vulnerability Details

This month's security update from Microsoft is substantial, fixing a wide range of flaws: 29 for elevation of privilege, 16 for RCE, 11 for information disclosure, three for denial of service (DoS), two for security feature bypass, and two for spoofing.

Actively Exploited Zero-Day: CVE-2025-62215

• Vulnerability: Windows Kernel Privilege Escalation Vulnerability
• CVSS Score: 7.0 (High)
• Description: This vulnerability stems from a race condition due to improper synchronization when concurrent processes access a shared resource. A local attacker can craft a specific application to trigger this race condition, leading to a double-free memory corruption. Successful exploitation allows the attacker to hijack the system's execution flow and escalate privileges to SYSTEM level. This is a classic post-compromise technique used to gain full control over a compromised machine.
• Exploitation Status: Actively exploited in the wild. Details of the threat actor are not disclosed.

Critical RCE Vulnerability: CVE-2025-60724

• Vulnerability: Microsoft Graphics Component (GDI+) Remote Code Execution Vulnerability
• CVSS Score: 9.8 (Critical)
• Description: A heap-based buffer overflow in GDI+ allows for unauthenticated RCE without user interaction. An attacker could exploit this by tricking a user into opening a document containing a specially crafted malicious metafile, potentially leading to a full system compromise.

High-Severity Kerberos Flaw: CVE-2025-60704

• Vulnerability: Windows Kerberos Privilege Escalation Vulnerability
• CVSS Score: 7.5 (High)
• Description: Discovered by Silverfort researchers and codenamed "CheckSum," this flaw allows an adversary-in-the-middle (AitM) attacker to bypass a missing cryptographic check in Kerberos constrained delegation. This enables user impersonation and could lead to a full domain takeover.

Affected Systems

• Windows Operating Systems: All supported versions of Windows and Windows Server.
• Microsoft Office: All supported versions.
• Developer Tools: Visual Studio, .NET Framework.
• Other Products: Microsoft Edge (Chromium-based), SQL Server, Windows Subsystem for Linux GUI (WSLg), Windows Ancillary Function Driver for WinSock (afd.sys), Nuance PowerScribe 360.

Impact Assessment

The active exploitation of CVE-2025-62215 presents an immediate and significant risk. Threat actors who have already established an initial foothold in a network can use this vulnerability to escalate privileges, disable security software, move laterally, and deploy ransomware or other malicious payloads. The critical GDI+ vulnerability (CVE-2025-60724) poses a severe threat as it can be triggered by merely opening a malicious document, making it a potent vector for initial access via phishing. The Kerberos flaw (CVE-2025-60704) is particularly dangerous in enterprise environments, as it undermines a core authentication protocol and could allow an attacker to compromise an entire Active Directory domain.

Cyber Observables for Detection

Security teams should hunt for signs of exploitation related to these vulnerabilities:

Detection & Response

1. Prioritize Patching: Deploy updates for CVE-2025-62215 and CVE-2025-60724 immediately, starting with internet-facing systems, domain controllers, and critical servers.
2. Threat Hunting for CVE-2025-62215:
   • Use EDR solutions to query for processes that have recently gained SYSTEM-level privileges from a lower-privilege context.
   • Review Windows Event Logs for unexpected system service crashes or restarts, which could indicate failed exploitation attempts.
   • D3FEND Technique: Employ Process Analysis to baseline normal process behavior and detect anomalous privilege escalation patterns.
3. Detecting Kerberos Abuse (CVE-2025-60704):
   • Monitor for Kerberos service tickets (TGS) being requested for high-privilege services from unusual sources.
   • Analyze network traffic for signs of an AitM attack, such as ARP spoofing or DNS hijacking, which are prerequisites for this exploit.
4. Endpoint Protection: Ensure antivirus and EDR solutions are updated with the latest signatures to detect exploit attempts against CVE-2025-60724 and other RCE flaws.

Mitigation

Beyond patching, organizations should implement compensating controls:

1. Principle of Least Privilege: Enforce the principle of least privilege for all user accounts. This will not prevent exploitation of CVE-2025-62215 but can limit the initial access that makes such an exploit possible. This aligns with D3FEND's User Account Permissions hardening.
2. Attack Surface Reduction (ASR): Enable ASR rules on Windows to block common attack vectors, such as blocking Office applications from creating child processes or injecting into other processes.
3. Application Control: Use application control solutions like AppLocker or WDAC to prevent unauthorized applications from running, which is the primary method for triggering the local privilege escalation flaw.
4. Network Segmentation: For the Kerberos flaw, segmenting the network can make it more difficult for an attacker to achieve an AitM position necessary for exploitation. This is a core concept in D3FEND's Network Isolation strategy.