News
1 Zero-Day, 4 Critical Items Addressed in November Patch Tuesday
Microsoft's latest Patch Tuesday brings fixes for 63 security flaws spread across Windows, Office and several other Microsoft products, including one zero-day vulnerability.
The zero-day flaw, CVE-2025-62215, is a privilege escalation flaw in the Windows kernel that allows attackers with local access to gain full system control. Microsoft said the issue stems from a race condition and has been seen in active attacks, making it the most urgent patch to deploy. The flaw affects all supported Windows versions, including those enrolled in the Windows 10 Extended Security Updates program.
While the flaw has not been seen exploited in the wild, details are out in the open -- so expect attacks to target unpatched users to arrive shortly. It's also important to note that this vulnerability does affect Windows 10. Those who are not enrolled in extended security update (ESU) support for Windows 10 may want to consider migrating to Windows 11 as soon as possible.
Once that zero-day is handled, Microsoft says four other critical vulnerabilities should be next in line for patching.
The first, CVE-2025-60716, hits the DirectX Graphics Kernel. It's another privilege-escalation issue that requires local access but could be paired with a remote exploit for a full compromise. Machines that process untrusted graphics files or rely heavily on GPU workloads — such as engineering, gaming or developer systems — should be updated without delay.
Next is CVE-2025-62199, a Microsoft Office vulnerability that allows attackers to execute code when someone opens or previews a malicious document. The Preview Pane can also trigger it, keeping phishing emails squarely in play as a likely delivery method. Microsoft recommends patching Office immediately and tightening up policies for handling attachments and shared documents.
The third item, CVE-2025-30398, affects Nuance PowerScribe 360, a voice-recognition and reporting tool used widely in health-care environments. This flaw could expose sensitive information stored on affected servers. Given its potential to leak patient data, medical organizations running PowerScribe 360 should make this update a top priority.
Finally, CVE-2025-62214 targets Visual Studio. An attacker could run code by convincing a developer to open a tampered project file. Because developer machines often have privileged access to source repositories and build pipelines, this bug carries real supply-chain implications. Patching Visual Studio and being cautious about external project sources are both smart moves.
Altogether, November's release is a reminder that even a single overlooked patch can open the door to serious trouble. IT admins are being urged to start with the Windows kernel zero-day, then move through the critical fixes in order of exposure.
A full list of Microsoft's November security bulletins can be found here.