Patch Tuesday November 2025

Patch Tuesday November 2025 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

For even more information, join our next Patch Tuesday webinar and visit our Patch Tuesday Watch page.

Microsoft Vulnerabilities

This Patch Tuesday includes 66 vulnerabilities fixed by Microsoft, significantly fewer than last month. Five of them are rated critical, and there’s one zero-day in the Windows Kernel. Here are the details of the most notable critical updates.

Microsoft Windows Kernel Elevation of Privilege (CVE-2025-62215)

Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Kernel allows an authorized attacker to elevate privileges locally. When a race condition is combined with predictable resource names and loose permissions, it may be possible for an attacker to overwrite or access confidential data. This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider.

Technical summary

• A synchronization bug lets shared kernel objects be accessed or modified concurrently without proper locking or ordering, producing a race condition (CWE-362). Under precise timing this race can cause a double-free (CWE-415) of a kernel allocation.
• Winning the race can free an object twice or free an object while another thread still uses it, causing kernel heap corruption such as use-after-free, dangling pointers, or corrupted allocator metadata.
• An attacker can then overwrite function pointers or vtable pointers in kernel objects, or force allocator state so attacker-controlled data is used as kernel structures. That can lead to arbitrary code execution in kernel context (ring 0) or token manipulation (SYSTEM token stealing), elevating a low-privilege local user to SYSTEM.

Scope and exploitability

• Affects all supported versions of Windows 10 and 11 and corresponding Windows Server releases.
• Exploitation requires local code execution or local access to the machine.
• The attack depends on winning a timing race, so it is complex and fragile and requires precise timing, pool grooming, and concurrent threads or processes.
• The attacker only needs low privileges on the target account and no user interaction beyond their own activity.
• The advisory rates the issue around 7.0 (Important), reflecting high impact but high exploitation complexity. The advisory notes that it has been exploited in the wild and that exploit code maturity is functional.

Why this is dangerous in chains

• A remote code execution bug in a network-facing service or a browser sandbox escape could provide the local code execution needed to run this kernel exploit, turning a remote compromise into full SYSTEM takeover.
• Browser or application sandbox escapes feeding into this kernel elevation convert web-borne attacks into complete device compromise.
• From a low-privilege foothold on one host, attackers can escalate to SYSTEM, dump credentials, and pivot laterally across the network.

Business impact

• Compromise of critical servers such as domain controllers or file servers, leading to large-scale credential exposure.
• Lateral movement and ransomware deployment with SYSTEM privileges.
• Regulatory, financial, and reputational damage following broad data exfiltration or operational disruption.

Although the high complexity reduces the risk of mass exploitation, the presence of a functional exploit used in the wild increases urgency. Skilled attackers are already able to weaponize this in targeted campaigns.

Primary attack scenarios of concern

1. Targeted intrusions: attackers gain a local foothold and then run the kernel elevation to gain full control and persist.
2. Exploit chaining: an RCE in an exposed service or browser, followed by a local payload and this kernel elevation, leading to domain takeover.
3. Cloud and hosting abuse: if the vulnerable code path exists in hypervisor or VM driver code, escalation on hosted Windows instances could affect multi-tenant services. Verify vendor specifics.

Microsoft Office Remote Code Execution (CVE-2025-62199)

A use-after-free bug in Office’s document processing and preview path can allow an attacker who gets a user to open or preview a crafted file to achieve arbitrary code execution inside the Office process. The issue is rated Critical; the advisory shows no public proof-of-concept and no observed in-the-wild exploitation.

Technical summary

• Root cause: a use-after-free (CWE-416), where Office dereferences a reference to memory that was already freed.
• A dangling pointer can be reused to place attacker-controlled data or overwrite function pointers, vtables, or callback targets, enabling code execution in the Office process under the user’s privileges.
• Typical flow: parse crafted content, trigger premature object free while a pointer remains live, subsequent dereference executes attacker-controlled data or hijacks control flow.

Affected components

Microsoft Office desktop (Word, Excel, PowerPoint) and any Office component that uses the same code path, including the Preview Pane, Outlook attachment preview, and local Office preview rendering in OneDrive or SharePoint.

Exploitability and CVSS

• CVSS 3.1 around 7.8 (Critical), reflecting high impact with required user action.
• Attack vector: local, via a crafted document opened or previewed (email attachment, shared link, synced file, Preview Pane).
• Attack complexity: low, the issue is not timing-dependent and the crafted document triggers a deterministic use-after-free during parsing or rendering.
• Privileges required: none.
• User interaction: required, the victim must open or preview the file.

Attack flow

1. Attacker crafts a malicious Office document that manipulates the parser or renderer to free an object prematurely.
2. Victim opens or previews the document, triggering the vulnerable code path.
3. Office dereferences the freed pointer; attacker-controlled data at that address alters control flow and leads to arbitrary code execution in the Office process.

Payload goals and techniques

• Common payloads: spawn a shell, drop a downloader, execute a second-stage payload, or perform in-memory reflective loading to avoid disk artifacts.
• Supporting techniques: heap spraying via embedded content, return-oriented programming to bypass DEP, and using info-disclosure bugs to defeat ASLR.

Public disclosure and exploitation

• Public PoC: none at time of the advisory.
• Exploited in the wild: none reported.

Potential impact

Full compromise of the user session, potential lateral movement, credential theft from LSA or saved Office credentials, in-memory persistence. If chained with an elevation of privilege, this could lead to full host or domain compromise. Consequences include credential harvesting from high-value users, ransomware deployment, intellectual property theft, compromised email accounts for fraud, and downstream trust abuse.

Priority assessment

• Why this is high priority: low complexity, no privileges required, and common attack vectors such as email and the Preview Pane make this attractive for mass-phishing and targeted campaigns.
• Why it is not yet catastrophic: no public proof-of-concept and no known in-the-wild exploitation reduces immediate mass-exploitation risk, though that can change quickly.

Worst-case scenario

A phishing campaign that pairs a reliable exploit for this bug with an available kernel elevation of privilege would produce large numbers of user compromises and could rapidly escalate to full host or domain takeover.

GDI+ Heap-based Buffer Overflow (CVE-2025-60724)

A heap-based buffer overflow in the Microsoft Graphics component (GDI+), triggered when parsing metafiles, can be exploited remotely without user interaction. A specially crafted metafile embedded in a document or uploaded to a service that parses or renders such files can yield remote code execution in the context of the target process.

Technical summary

• Weakness class: CWE-122, heap-based buffer overflow — memory on the heap is written past its bounds.
• Likely root causes based on common GDI+/metafile patterns: insufficient length or size validation when parsing metafile records; integer arithmetic errors that lead to under-allocated buffers; failure to validate record bounds before copying variable-length drawing commands or embedded blobs.
• Resulting memory corruption allows attacker-controlled writes beyond a heap allocation, enabling overwrite of adjacent heap metadata or function pointers and control of execution flow.
• Metafiles are high risk because they contain executable drawing commands and variable-length structures, and their parsers are complex.

Scope and score

• Core component: Microsoft Graphics Component (GDI+). Any Windows component or application that uses the vulnerable GDI+ code path for parsing or rendering metafiles is affected.
• CVSS 3.1: 9.8 (Critical), reflecting a remotely exploitable, high-impact, low-complexity flaw.

Exploitability and impact

• Network vector and no user interaction required, unlike Office preview bugs that need a user to open files. A single crafted upload can compromise a file-processing server.
• Low exploitation complexity increases the risk of automated mass exploitation or wormable behavior if an exploit appears.
• The attack surface is very large, because many first- and third-party components use GDI+ (thumbnailers, printers, conversion services, cloud preview services). Compromising a centralized document-rendering service can turn one malicious upload into many compromised clients or a persistent server foothold.

Public disclosure and observed exploitation

• Public PoC: none reported.
• Observed exploitation: none reported.

Why this is a high-value pivot bug

• Standalone server compromise: direct RCE in a server process that runs with SYSTEM or other high privileges leads to full host compromise, lateral movement, and data exfiltration.
• Mass distribution vector: a malicious upload rendered by a central service can be served to many clients, enabling supply-chain or content-distribution compromise.
• Chaining: RCE followed by memory dumping or LSA secret extraction can enable lateral propagation with harvested credentials.
• Escalation and persistence: RCE combined with an elevation-of-privilege bug could let attackers install persistent kernel-level components or tamper with security tooling.

Why this requires urgent attention

• Network-reachable RCE with no user interaction and low complexity is among the most dangerous classes of vulnerabilities. The potential for server compromise, tenant impact in multi-tenant systems, and rapid mass exploitation makes this a top priority for risk assessment.
• Exploit developers still need to craft reliable allocator and interpreter manipulation across Windows versions and mitigations such as CFG, ASLR, and DEP, which may delay weaponization. However, historical GDI+ and image parsing bugs have often been weaponized quickly.

Likely attacker motivations

• Mass compromise, including worms, cryptominers, or ransomware.
• Targeted intrusions against document-rendering infrastructure.
• Supply-chain attacks that weaponize widely used rendering services.

Microsoft SQL Server Elevation of Privilege (CVE-2025-59499)

A network-reachable SQL injection in SQL Server’s database name handling allows an authenticated, low-privileged user to inject arbitrary Transact-SQL commands. Successful exploitation can escalate privileges to the service account running SQL Server, potentially granting sysadmin or SYSTEM-level control.

Technical summary

• Weakness class: CWE-89, SQL injection.
• Cause: database identifiers (database names) are not properly sanitized or parameterized when used to build internal T-SQL, letting an attacker embed SQL control characters that alter server-side command execution.
• Impact: injected T-SQL runs in privileged server context, which can lead to sysadmin rights and execution of server-side commands.

Exploitability

• Base score: 8.8 (Important).
• Attack vector: network, via direct TDS connections or through applications calling affected APIs.
• Attack complexity: low, payloads can be deterministic.
• Privileges required: low — attacker needs valid SQL authentication or the ability to connect using a trusted application account.
• User interaction: none once the attacker can send crafted commands.
• Exploit maturity: unproven, no public proof-of-concept and no observed in-the-wild exploitation reported.

Likely affected systems

SQL Server 2016 SP3, 2017, 2019, and 2022 (per Microsoft’s patch table).

Why this is dangerous in chains

1. Web compromise then SQL EoP, where a web app flaw or stolen credential gives initial access that is escalated to sysadmin via this bug.
2. SQL EoP to OS control, for example using xp_cmdshell to run system commands and then chaining with a kernel elevation for full system or domain control.
3. Service account compromise, since many SQL Server instances run under domain accounts, enabling credential theft and lateral movement.
4. Persistence and evasion through hidden triggers, signed stored procedures, or malicious CLR assemblies.

Operational severity
Although classified as elevation of privilege, the network vector, low complexity, and potential for full sysadmin takeover make its operational impact similar to a database-level remote code execution. SQL Server often holds an organization’s most sensitive data, so successful exploitation can lead to data theft, ransomware, and broad lateral movement.

Outlook
Expect rapid exploit research following the advisory. SQL injection vectors are often reproducible and proof-of-concepts can appear quickly. This vulnerability poses high risk for environments with shared SQL servers, flat networks, or weak credential management.

Google Chrome

Google has released a stable-channel update that patches five Chrome vulnerabilities; none are flagged as under active attack. The most serious are three High-rated flaws: an out-of-bounds write in the WebGPU graphics stack (CVE-2025-12725), reported anonymously on September 9; an inappropriate-implementation bug in the Views UI framework (CVE-2025-12726), reported by Alesandro Ortiz on September 25; and a similar weakness in the V8 JavaScript/WebAssembly engine (CVE-2025-12727), disclosed by the researcher “303f06e3” on October 23. Two Medium-severity issues, CVE-2025-12728 and CVE-2025-12729, affect the Omnibox address bar and were reported by Hafiizh and Khalil Zhani respectively.

Google is withholding technical details until users have had time to update. The WebGPU out-of-bounds write could allow a malicious site to corrupt GPU memory and possibly escape the browser sandbox. The V8 flaw might let an attacker craft JavaScript that confuses object types and gains arbitrary read/write primitives, which historically can lead to remote code execution. The Views and Omnibox issues are more likely to be used for UI spoofing or limited information leaks.

The fixes are included in Chrome 142.0.7444.134/.135 for Windows, Mac and Linux and will reach the stable desktop population over the next few days. Users should restart their browser to install the update.

Mozilla Firefox

Mozilla has shipped Firefox 144, which fixes a dozen CVE-level bugs plus three groups of memory-safety flaws found by its fuzzers. Four issues are rated High and could be used for code execution or privilege escalation.

The most serious is CVE-2025-11708, a use-after-free in MediaTrackGraphImpl::GetInstance() reported by Irvan Kurniawan. By forcing the media pipeline to destroy an object while script still holds a reference, an attacker could convert that dangling pointer into arbitrary read/write primitives and potentially achieve remote code execution in the content process.

Two other High-risk bugs reported by Oskar L. are CVE-2025-11709 and CVE-2025-11710. The first lets a compromised renderer send malformed WebGL textures to the GPU process, triggering out-of-bounds memory access in a higher-privilege compartment. The second uses malicious IPC messages to trick the parent process into leaking chunks of its memory back to a tab controlled by the attacker, which can defeat ASLR and expose sensitive data. A fourth High-severity issue, CVE-2025-11711 found by EntryHi, allows JavaScript to overwrite properties that should be read-only, potentially letting a site tamper with security-critical flags or prototype methods.

On Android, four moderate-impact patches fix UI issues: sandboxed iframes could launch external apps without the expected allow-* permission (CVE-2025-11716); the task-switcher preview could reveal a password-editing screen (CVE-2025-11717); a fake address bar could be painted when the real one is scrolled away (CVE-2025-11718); and custom tabs could show only a site name instead of the full hostname, easing subdomain spoofing (CVE-2025-11720). Windows users receive fixes for two local-trickery bugs: the “Copy as cURL” context menu could be coerced into producing a malicious command line (CVE-2025-11713), and extensions using the native-messaging API could trigger a use-after-free crash (CVE-2025-11719). Masato Kinugawa also reported that an OBJECT tag’s type attribute can override MIME handling for responses missing a Content-Type header, aiding XSS on sites that serve user uploads without that header (CVE-2025-11712).

Mozilla’s fuzzing team also found three separate sets of memory-safety bugs (CVE-2025-11714, CVE-2025-11715, CVE-2025-11721) in the Firefox 143 codebase. The team cites evidence of memory corruption and says some of these issues could, with effort, have been exploited for arbitrary code execution.

Android

Google has released updates for Android that fix two vulnerabilities in the system component, including a critical remote code execution flaw.

The November patch once again highlights Google’s shift away from the monthly security updates that had been in place since 2015. The latest release includes a single patch level, 2025-11-01. This trend first appeared in July, when no fixes were issued for Android users, and recurred in October. However, in August and September, Google addressed more than 100 vulnerabilities, including several that were actively exploitable.

This time, only two issues were fixed. The more serious, CVE-2025-48593, stems from insufficient validation of user input, leading to remote code execution. It affects Android versions 13, 14, 15, and 16. According to Google, it requires no user interaction or special privileges to exploit.

The second issue, CVE-2025-48581, lies in the VerifyNoOverlapInSessions function within the apexd.cpp file. A logic error could allow attackers to block security updates through the main installation process, leading to local privilege escalation. This flaw affects Android 16 and, like the first, does not require user interaction or additional privileges to exploit.

Apple

Apple’s latest iOS and iPadOS updates fix bugs across more than two dozen components that could have been used to escape the sandbox, corrupt memory, or leak data.

Google’s Project Zero team (“Big Sleep”) helped identify five vulnerabilities in the WebKit engine used by Safari. Successful exploitation could cause browser crashes or memory corruption.

Alongside the mobile updates, Apple released macOS Tahoe 26.1, which includes 105 fixes—45 of which overlap with iOS 26.1 and iPadOS 26.1, including 18 WebKit flaws. The patched vulnerabilities could be exploited to corrupt kernel memory, crash the system, leak data, escape the sandbox, cause denial-of-service, perform file substitution, escalate privileges, or bypass security protections.

Apple also released macOS Sequoia 15.7.2 and macOS Sonoma 14.8.2, each addressing dozens of vulnerabilities. Additional fixes were issued for tvOS, watchOS, visionOS, and Xcode, while Safari 26.1 patched nearly two dozen issues for macOS Sonoma and Sequoia users.

Apple says it has no evidence that any of the patched vulnerabilities have been exploited in the wild.

Post SMTP

Malicious actors are exploiting a critical vulnerability in the Post SMTP plugin to take over websites by hijacking administrator accounts.

Post SMTP is a widely used mail plugin installed on more than 400,000 WordPress sites. Researcher netranger reported an email-log disclosure issue to Wordfence on October 11. The flaw was assigned CVE-2025-11833 and given a critical severity of 9.8. It affects all Post SMTP versions from 3.6.0 onward and is caused by missing authorization checks in the constructor for the PostmanEmailLogs stream. That constructor displays stored email content on request without verifying capabilities, allowing unauthenticated attackers to read arbitrary emails. Those emails can include password reset messages with links that let an attacker change an administrator password, potentially resulting in account takeover and full site compromise.

Wordfence confirmed the issue on October 15 and disclosed it to the plugin author the same day. A patch was released on October 29 as part of version 3.6.1. According to WordPress.org, only about half of users have updated, leaving roughly 210,000 sites still vulnerable. Wordfence began seeing exploit attempts on November 1 and has blocked more than 4,500 attempts. Site owners using Post SMTP should update to version 3.6.1 or remove the plugin until they can update.

Dolby

A high-severity flaw in the Dolby Unified Decoder can be used to achieve remote code execution, and in some cases it can be triggered without user interaction.
The decoder, used to process Dolby Digital Plus and other formats, writes data into a large continuous buffer. Researchers Ivan Fratrik and Natalie Silvanovich of Google Project Zero found an integer-carry error when calculating write lengths, which can make the allocated buffer too small and render subsequent bounds checks ineffective. That allows later structure members to be overwritten, including pointers used when processing the next sync frame. The bug is tracked as CVE-2025-54957 (CVSS 7.0) and can be triggered by malicious audio, leading to remote code execution.

On Android, the flaw can be exploited remotely without user interaction because audio messages and attachments are decoded locally using the Dolby decoder. The researchers developed a proof-of-concept that causes a process crash on Pixel 9 and Samsung S24 devices and demonstrated zero-click code execution in the media codec on a Pixel 9 running build 16 BP2A.250605.031.A2. Project Zero reported the issue to Dolby in June and published details after the 90-day disclosure period expired.

Microsoft fixed the vulnerability in its October Patch Tuesday, noting exploitation on Windows requires user interaction. Google says fixes are included in recent ChromeOS updates.

Watchguard Firebox

A new attack targets more than 75,000 WatchGuard Firebox devices that remain vulnerable to a critical flaw, CVE-2025-9242, which allows unauthenticated remote code execution. Firebox devices provide traffic control, security services, VPN, and monitoring through WatchGuard Cloud.

Shadowserver has identified 75,835 exposed Firebox endpoints worldwide, concentrated in Europe and North America. The United States leads with about 24,500 devices, followed by Germany (7,300), Italy (6,800), the United Kingdom (5,400), Canada (4,100), and France (2,000).

WatchGuard published a security bulletin on September 17, rating the issue 9.3. The bug is an out-of-bounds write in the Fireware OS iked process, which handles IKEv2 VPN negotiation. An attacker can trigger the flaw by sending specially crafted IKEv2 packets to affected devices, causing writes to unintended memory locations.

CVE-2025-9242 affects Firebox devices using IKEv2 VPN with dynamic gateways on versions 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3, and 2025.1. WatchGuard recommends updating to 2025.1.1, 12.11.4, 12.5.13, or 12.3.1_update3 (B722811). Support for the 11.x branch has ended and will not receive fixes. For devices using static peer-to-peer VPN gateways only, WatchGuard points to documentation on securing IPSec and IKEv2 as a temporary measure.

There are no confirmed reports of active exploitation so far, but the large number of exposed devices creates a significant risk.

Cisco

Attackers are exploiting a zero-day vulnerability, CVE-2025-20352 (CVSS 7.7), in SNMP on Cisco IOS and IOS XE devices to deploy a Linux rootkit. The bug can be used by low-privilege actors to cause denial of service and, with higher privileges, for remote code execution. Trend Micro researchers uncovered Operation ZeroDisco, in which attackers used the vulnerability to install a rootkit on older devices including Cisco 9400, 9300, and legacy 3750G series switches.

Operators combined CVE-2025-20352 with a modified exploit for CVE-2017-3881, a Telnet vulnerability that allowed memory read and write, to escalate impact. The deployed rootkit monitors UDP packets on any port, even closed ones, enabling attackers to trigger backdoor functions. It also alters iOSd memory to set a universal password, hides parts of the running configuration in memory, bypasses VTY access control lists, disables log history, and resets configuration timestamps to conceal changes.

Trend Micro notes there is no single automated tool that reliably detects a ZeroDisco compromise across Cisco switches.

SonicWall

Over the past week more than a hundred SonicWall SSL VPN devices across 16 environments were breached in a large-scale campaign. Huntress says attackers used valid credentials from a single IP address (202.155.8[.]73) to authenticate and take control of devices. On some networks the intruders later moved laterally and expanded access. Huntress links these incidents to a recent SonicWall compromise in which attackers stole device configuration backups from the vendor’s cloud service.

Gladinet CentreStack

Gladinet released an update for CentreStack (16.10.10408.56683) to fix a local file inclusion flaw, CVE-2025-11371, which has been exploited as a zero-day since late September. Huntress disclosed the exploit and said it was used to bypass a mitigation for a deserialization vulnerability that can lead to remote code execution (CVE-2025-30406). The LFI allowed attackers to read a Web.config file on patched deployments, recover the machine key, and then exploit the deserialization bug. Huntress also published a minimal exploit prototype and technical details.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both OS and third-party software.

Setup in minutes to reduce your cyber risks and costs:

START NOW WATCH DEMO