November 2025 Patch Tuesday: Patch 63 CVEs including GDI+ RCE and Kernel EoP

Microsoft’s November Patch Tuesday delivers a compact but urgent set of updates: 63 newly disclosed vulnerabilities were fixed on November 11, 2025, and two Windows flaws — a critical GDI+ remote code execution (RCE) and an actively exploited Windows Kernel elevation‑of‑privilege (EoP) zero‑day — are the must‑patch items for administrators and security teams this week.

Background / Overview​

Microsoft’s monthly security cadence landed on November 11, 2025, as the regular Patch Tuesday bundle that included cumulative updates across client and server branches. This release addressed a total of 63 vulnerabilities across Windows, Office, Edge and several server components — with five items rated Critical by various tracking services and one kernel zero‑day flagged as actively exploited in the wild. Two vulnerabilities highlighted by security responders and Arctic Wolf in their bulletin are the immediate operational priorities:

• CVE‑2025‑60724 — GDI+ heap‑based buffer overflow with RCE potential (CVSS ≈ 9.8). This affects the Microsoft Graphics Component and can be triggered by specially crafted metafiles or images.
• CVE‑2025‑62215 — Windows Kernel race‑condition elevation‑of‑privilege (EoP) that Microsoft and multiple vendors report as being exploited in the wild. This bug enables a local, authenticated attacker to escalate to SYSTEM by winning a timing window.

This article summarizes the technical facts, verifies vendor claims against independent trackers, analyzes attacker risk models, and provides an operational playbook for Windows administrators and defenders.

---

What Microsoft shipped (key KBs and packaging)​

Microsoft distributed the November patches as cumulative updates and, where applicable, hotpatch/out‑of‑band packages. Notable package identifiers include KB5068861 for Windows Server / Windows 11 channels (and associated hotpatch KB5068966 for hotpatch‑capable rings). Microsoft’s support pages list the November cumulative(s) and their OS build details. Administrators should map CVE → KB → OS build precisely before deployment: the KB is the deterministic deployment unit for cataloging, testing and distribution via WSUS, Intune, SCCM, or Microsoft Update Catalog. Relying on CVE strings alone risks installing the wrong servicing package for a given build.

---

Deep dive: CVE‑2025‑60724 — GDI+ Remote Code Execution (RCE)​

What it is​

CVE‑2025‑60724 is a heap‑based buffer overflow in the Microsoft Graphics Component (GDI+). When a system or service parses a specially crafted metafile or image, the overflow can be exploited to achieve remote code execution. This is a high‑impact class of vulnerability because the graphics component is widely used by document processors, image renderers and server‑side upload parsers.

Attack surface and scenarios​

• Client‑side: An attacker can craft a document (Office, RTF, or image bundle) containing a malicious metafile and convince a victim to download and open it — typical phishing or malvertising scenarios.
• Server‑side: Web services that accept user uploads and parse images or documents (mail gateways, document preview services, CMS upload handlers) can be abused by uploading a crafted file, enabling RCE or information disclosure without user interaction.

Exploitability and observed activity​

Multiple vendors and trackers assigned a CVSS around 9.8 and classified the flaw as critical. As of the November release, there is no public evidence of widespread active exploitation for this specific GDI+ bug, but the severity and ubiquity of the library make it a prime target for rapid weaponization. Security vendors recommend immediate mitigation for services that process untrusted media.

Recommended action (GDI+)​

• Prioritize patching servers that parse or preview user‑supplied documents (web upload endpoints, mail and MTA pre‑processors, SharePoint/Exchange servers that render previews).
• For endpoints, apply the cumulative updates (the KBs Microsoft lists for your SKU) and reboot when required. Validate the successful build number post‑reboot.
• If patching is delayed, apply compensating controls: remove document‑preview agents from the public path, block untrusted metafile formats at the perimeter, and constrain the accounts used by parsing services.

---

Deep dive: CVE‑2025‑62215 — Windows Kernel race‑condition EoP (actively exploited)​

What it is​

CVE‑2025‑62215 is a race‑condition in kernel code leading to a double‑free or similar heap corruption that lets an authenticated local attacker elevate privileges to SYSTEM by exploiting a narrow timing window. The vulnerability requires local code execution (or a prior foothold) but yields full system control when successfully chained. Microsoft classified this issue as exploitation detected and included a patch in the November cumulatives.

Why this matters​

A kernel EoP is a classic post‑compromise force multiplier: once an attacker has foothold access (for example via phishing, sandbox escape, browser RCE, or malicious installer), CVE‑2025‑62215 can convert that foothold into SYSTEM privileges — enabling credential theft, tamper of EDR, kernel‑level persistence, and lateral movement. Security vendors report real‑world exploitation patterns where adversaries chain CVE‑2025‑62215 after initial remote access methods.

Observed exploitation​

Multiple vendors and trackers corroborate Microsoft’s statement that this kernel bug is being exploited in the wild. Public reporting at the time of disclosure indicated the vulnerability has been used in targeted campaigns, typically as part of multi‑stage attack chains. Security teams should therefore treat this as a high‑priority remediation item.

Recommended action (Kernel EoP)​

• Patch immediately: deploy the Microsoft November cumulative that maps to your OS build (confirm KB mapping and build numbers). Reboots are usually required.
• Prioritize scope: patch domain controllers, jump boxes, admin workstations, RDP/VDI hosts, build servers and any machine where an attacker could leverage a local exploit.
• If you cannot patch immediately: restrict local code execution (application allow‑listing with WDAC/AppLocker), reduce privileged local admin assignments, disable interactive logons where possible, and isolate high‑value hosts behind hardened bastion systems.

---

Validating the claims: cross‑checking authoritative sources​

To verify key claims:

• Microsoft’s release documentation and KB pages for November 11, 2025 (for example KB5068861 and the hotpatch KB5068966) list the cumulative updates and package details; these pages confirm the release date and KB identifiers used for deployment.
• The National Vulnerability Database (NVD) entries for CVE‑2025‑60724 and CVE‑2025‑62215 provide canonical descriptions (heap‑based overflow in GDI+, race‑condition EoP in kernel) and link back to Microsoft advisories. These public CVE/NVD records corroborate the vulnerability types and timelines.
• Independent security vendors (CrowdStrike, Rapid7, Tenable, SOCPrime, Malwarebytes and others) published contemporaneous analyses confirming severity, exploitability assessments and, in the case of CVE‑2025‑62215, reports of active exploitation. Using multiple vendors narrows single‑source bias and strengthens the operational urgency.

Where vendor interpretations differ (for example, precise CVSS vector strings or exploit reliability estimations), rely on Microsoft’s official KB for remediation steps and treat vendor writeups as complementary operational guidance. If a claim is unverifiable from public data (for example, precise actor attribution or an internal proof‑of‑concept sample), it is flagged as such in vendor reporting and should be treated with caution until forensic evidence is available.

---

Operational playbook — patching, testing and mitigation​

Patch sequencing (recommended)​

• Inventory and classify hosts by exposure and criticality (domain controllers, jump boxes, RDP hosts, servers processing uploads).
• Stage updates in a small pilot ring (24–72 hours) to validate critical application compatibility.
• Deploy to high‑value and high‑exposure hosts first, then expand to remaining systems. Reboot and validate build versions post‑install.
• For environments supporting hotpatching, evaluate hotpatch KBs (where available) to reduce planned reboots for critical endpoints.

Immediate compensating controls (until fully patched)​

• Enforce application allow‑listing and least privilege (remove unnecessary local admin rights).
• Block lethal file formats at perimeter: prevent web upload paths from accepting untrusted metafiles and limit server‑side document preview processing.
• Strengthen segmentation: isolate build agents, developer systems, and imaging servers (PowerScribe and similar medical stacks).

Detection and hunting priorities​

• Hunt for unusual process ancestry showing non‑privileged processes spawning SYSTEM shells (Event ID correlation for process creation). Focus on cmd.exe, powershell.exe and wmic launched from user processes.
• Monitor for token manipulation (DuplicateTokenEx/OpenProcessToken) and unexpected service or scheduled‑task creations originating from low‑privileged accounts.
• Capture kernel crash dumps and memory forensics if suspicious privilege escalation is suspected; these artifacts are often necessary to confirm kernel exploitation.

---

Compatibility and operational risk​

Patching kernel and graphics components can cause regressions in specialized environments. Microsoft’s release notes and community reporting mention a small set of known issues (for example, WSUS error reporting regressions in prior updates), so follow normal pre‑production testing and rollback planning. Where updates change feature flags or enable new UI components, remember that installing the cumulative may not instantly surface feature changes due to Microsoft’s staged enablement model. Large enterprises should treat the November rollup as both a security priority and a compatibility exercise: test critical business apps and imaging stacks (Nuance PowerScribe, developer toolchains, virtualization hosts) before broad deployment.

---

Risk analysis — strengths and hazards of the disclosure​

Strengths​

• Microsoft released fixes promptly and included the kernel zero‑day in the normal cumulative (with hotpatch options where supported), giving admins a validated remediation path. The vendor‑provided KBs and build mapping reduce ambiguity for patching.
• Broad vendor coverage: multiple security vendors and trackers validated the technical classifications and emphasized mitigation strategies, enabling defenders to coordinate hunting and detection content rapidly.

Potential hazards and caveats​

• Exploit chaining: CVE‑2025‑62215 is a local EoP; attackers commonly chain such flaws with remote footholds. Environments with exposed services that allow initial compromise (RDP, web apps, unpatched browsers or Office) are at higher risk.
• Rapid weaponization of RCEs: While CVE‑2025‑60724 had no public evidence of exploitation at disclosure, high‑severity graphics RCEs are routinely weaponized quickly — especially against servers that process untrusted uploads. Treat it as an immediate priority for web‑facing services.
• Unverifiable or time‑sensitive claims: Some press pieces and community posts speculate on the number of machines vulnerable within a specific timeframe (for example “millions within 48 hours”). Those projections depend on telemetry models and are not verifiable from public CVE/K‑level data; treat them as plausibility estimates rather than precise counts. Flag any attribution or actor claims that lack forensic evidence as unverified.

---

Checklist — concise actions for Windows admins (prioritized)​

• Identify and patch hosts with KBs for your exact OS build; confirm post‑patch build numbers.
• Patch domain controllers, jump boxes, admin workstations and servers that process untrusted uploads first.
• If hotpatching is available, evaluate its use to reduce downtime for critical endpoints.
• Enforce application allow‑listing and remove unnecessary local admin privileges.
• Hunt for privilege escalation artifacts (unexpected SYSTEM shells, token ops, new services). Collect memory/crash dumps on suspicion.
• For services that accept uploads, block or sanitize metafile/image formats until patched.

---

Conclusion​

The November 11, 2025 Patch Tuesday is compact in headline count but significant in operational impact: a high‑severity GDI+ RCE (CVE‑2025‑60724) and an actively exploited Windows Kernel EoP (CVE‑2025‑62215) change the immediate priorities for defenders. Apply Microsoft’s November cumulatives, map CVE→KB accurately, and treat servers that parse untrusted media and admin consoles as the first wave for remediation. Combine rapid patching with layered mitigations — application allow‑listing, privilege hygiene, and focused detection hunts — to reduce the window of exposure while verifying compatibility in controlled pilot rings. If an organization lacks the capacity to patch immediately, implement the compensating controls and detection disciplines outlined above, and plan for a prioritized, staged deployment within hours for high‑value assets and within days for the remainder of the estate. Treat any claims of actor attribution or precise exploitation statistics as tentative until corroborated by forensic evidence from affected environments.

---

---

Source: Arctic Wolf Microsoft Patch Tuesday: November 2025 | Arctic Wolf