Microsoft issued security updates to fix over 60 CVEs in the November Patch Tuesday yesterday, including one being actively exploited in the wild.
No public proof-of-concept has been released for CVE-2025-62215, although it is being used by threat actors, according to Mike Walters, president and co-founder of Action1.
“This race-condition and double-free flaw enables a locally accessible, low-privileged attacker to corrupt kernel memory and escalate to system privileges,” he explained.
“The attack requires local code execution or local access and successful timing of a race, which is complex and fragile and typically needs pool grooming and concurrent threads. The attacker only needs low privileges and no other user interaction.”
When chained with other vulnerabilities, the CVE becomes a critical threat, potentially enabling server compromise, mass credential exposure, lateral movement and ransomware deployment.
“A remote code execution or sandbox escape can supply the local code execution needed to turn a remote attack into a system takeover, and an initial low‑privilege foothold can be escalated to dump credentials and move laterally,” warned Walters.
Read more on Patch Tuesday: Last Windows 10 Patch Tuesday Features Six Zero-Days
Elsewhere this month, there were 29 elevation of privilege (EoP) vulnerabilities, 16 remote code execution (RCE) and two security feature bypass bugs fixed by Microsoft.
Of the four critical vulnerabilities in this Patch Tuesday, two are RCE, one is EoP and the fourth is an information disclosure flaw.
Ben McCarthy, lead cybersecurity engineer at Immersive, urged sysadmins to patch critical RCE bug CVE-2025-60724, which has a CVSS score of 9.8. It impacts the GDI+ (Graphics Device Interface) library – a core Windows component used for rendering 2D graphics, images and text.
“With this vulnerability, when the server-side application automatically parses a specially crafted metafile, the vulnerable GDI+ library is called. This triggers the heap overflow, allowing the attacker to corrupt memory and gain RCE on the server,” said McCarthy.
“The patch for this should be an organization’s highest priority. Given that this vulnerability can be triggered by simply uploading a file to a public-facing web application, any system that processes user-supplied documents is at risk.”
Teething Troubles For Extended Security Updates
This was the first Patch Tuesday since Windows 10 reached end of life, meaning that only individuals or organizations subscribed to Extended Security Updates (ESU) can still receive patches for the legacy OS.
However, Microsoft was forced to issue a new out-of-band update (KB5071959) yesterday after some users were unable to enroll in the program.
“This update addresses an issue in the Windows 10 Consumer Extended Security Update (ESU) enrollment process, where the enrollment wizard may fail during enrollment,” Microsoft said.
“After applying this update, consumer devices should be able to successfully enroll in ESU using the ESU wizard.”
