- 245/2025
- Critical
Microsoft has released its monthly patch of security updates, known as Patch Tuesday. The mentioned patch addressed one actively exploited zero-day vulnerability.
Microsoft has fixed (63) vulnerabilities, with (1) classified as critical, as it could allow the attacker to gain elevated privileges, perform denial of service attacks, obtain sensitive information, bypass security restrictions, or execute arbitrary code and gain access to the affected systems.
November’s Patch Tuesday was released to fix security flaws in several Microsoft products, such as Microsoft Excel, Microsoft Office, Microsoft Office SharePoint, Windows DirectX, Windows Routing and Remote Access Service (RRAS), Windows Hyper-V, Windows Kerberos, Windows Remote Desktop, Microsoft Streaming Service, Windows WLAN Service, and SQL Server.
The actively exploited zero-day vulnerability in November’s Patch is:
- Windows Kernel Elevation of Privilege Vulnerability “CVE-2025-62215” allows the attacker to gain SYSTEM privileges on Windows devices.
Sample of the addressed vulnerabilities:
1. Microsoft GDI+ Remote Code Execution Vulnerability (CVE-2025-60724):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Microsoft SQL Server Elevation of Privilege Vulnerability (CVE-2025-59499):
- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Privilege
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.