Microsoft has rolled out its November 2025 Patch Tuesday updates, delivering fixes for 63 security vulnerabilities, including one zero-day that is already being actively exploited in the wild.
The latest release also tackles four Critical-rated flaws, two involving remote code execution (RCE), one allowing privilege escalation, and another tied to information disclosure.
Breakdown of this month’s vulnerabilities:
29 Elevation of Privilege
2 Security Feature Bypass
16 Remote Code Execution
11 Information Disclosure
3 Denial of Service
2 Spoofing
It’s worth noting that these figures only include updates released as part of this month’s official Patch Tuesday. Fixes for Microsoft Edge and Mariner that were issued earlier in November are not counted here.
This month marks the first Extended Security Update (ESU) release for Windows 10. If you’re still running the unsupported operating system, Microsoft strongly recommends upgrading to Windows 11 or enrolling in the ESU programme to continue receiving critical security patches.
Microsoft has also issued an out-of-band update to resolve a bug that was preventing some users from enrolling in the ESU programme.
The most urgent fix this month addresses a Windows Kernel elevation of privilege vulnerability (CVE-2025-62215) that attackers have already exploited to gain SYSTEM-level access on affected devices.
The flaw stems from a race condition in the Windows Kernel, which could allow an attacker with local access to elevate privileges. According to Microsoft, an attacker would need to successfully exploit the race condition to gain full control of the system.
While Microsoft’s internal security teams were credited with identifying the flaw, details of how it’s being exploited have not been publicly disclosed.
November has been a busy patching period across the wider technology ecosystem. Several major vendors have also issued important updates, including:
Adobe, with patches for Photoshop, Illustrator, InDesign, and other Creative Cloud applications.
Cisco, addressing vulnerabilities across multiple products including ASA and Identity Services, and warning of new exploit activity targeting older flaws.
Fortinet, resolving an elevation of privilege issue in FortiOS.
Google, publishing its Android November security bulletin with fixes for two high-severity bugs.
Ivanti, releasing its own batch of monthly patches.
QNAP, issuing updates for several zero-days exploited against NAS devices during a recent hacking contest.
SAP, releasing updates for multiple products, including a critical issue involving hardcoded credentials.
Samsung, with 25 fixes as part of its regular Android patch cycle.
Regular patching remains one of the most effective defences against cyber threats, but with growing complexity, many organisations still struggle to keep pace. If you’re facing delays, blind spots, or prioritisation issues, it may be time to reassess your patch management approach.
Microsoft’s November 2025 Patch Tuesday is a timely reminder that proactive vulnerability management isn’t optional, it’s essential to staying secure in an evolving threat landscape.