Microsoft’s November 2025 security updates address 63 CVEs across Windows and multiple Microsoft products. (Tenable®)
Public reporting varies on the exact number of “Critical” issues (some analyses cite 4 or 5 critical CVEs for this month), likely due to differing classification/counting approaches across trackers and product groupings. (Tenable®)
Actively exploited / zero-day (confirmed)
- CVE-2025-62215 — Windows Kernel Elevation of Privilege (EoP)
- Status: Actively exploited in the wild (zero-day) per Microsoft; also added to CISA KEV on 12 Nov 2025. (Tenable®)
- Impact: Local attacker (already on-box) can race-condition their way to SYSTEM privileges. (Tenable®)
- Links: Microsoft Advisory for CVE-2025-62215 | NVD
Highest-risk “Critical” vulnerabilities to prioritise (high level)
Microsoft and multiple CTI/vuln-management vendors highlight the following as the most operationally significant due to RCE potential and/or broad exposure. (Tenable®)
- CVE-2025-60724 — Microsoft Graphics Component (GDI+) RCE (CVSS 9.8)
- Impact: Unauthenticated remote code execution via a heap-based buffer overflow (commonly triggered by crafted files/metafiles). (NVD)
- Exploitation: No evidence of active exploitation reported at release by some vendor analyses (still a top patch priority due to CVSS and attack surface). (CrowdStrike)
- Links: Microsoft Advisory for CVE-2025-60724 | NVD
- CVE-2025-62199 — Microsoft Office RCE (CVSS 7.8)
- Impact: Code execution via malicious Office document; Preview Pane noted as an attack vector in third-party analysis (reducing user-click requirements in some workflows). (Tenable®)
- Links: Microsoft Advisory for CVE-2025-62199 | NVD
- CVE-2025-30398 — Nuance PowerScribe (information disclosure; CVSS 8.1)
- Impact: Remote information disclosure affecting PowerScribe deployments (health/clinical transcription environments are common PowerScribe users). (CrowdStrike)
- Links: Microsoft Advisory for CVE-2025-30398 | NVD
- CVE-2025-60716 — DirectX Graphics Kernel EoP (CVSS 7.0)
- Impact: Local privilege escalation to SYSTEM (use-after-free). (CrowdStrike)
- Links: Microsoft Advisory for CVE-2025-60716 | NVD
- CVE-2025-62214 — Visual Studio RCE (AI command injection scenario; CVSS 6.7)
- Impact: Local code execution in specific developer workflows (multi-step chain involving prompt/agent interaction per third-party analysis). (Cisco Talos Blog)
- Links: Microsoft Advisory for CVE-2025-62214 | NVD
“Exploited in the wild” snapshot (what’s confirmed vs. not)
- Confirmed exploited (Microsoft + CISA KEV): CVE-2025-62215 only. (Tenable®)
- Some trackers/aggregators claim multiple exploited CVEs in the release; however, I did not find the same level of primary-source confirmation for additional “in-the-wild” exploitation beyond CVE-2025-62215 in the mainstream Patch Tuesday coverage cited above. (CrowdStrike)
Practical prioritisation
- Patch/mitigate CVE-2025-62215 first across all supported Windows endpoints/servers (treat as post-compromise privilege-escalation enabler). (Tenable®)
- Prioritise RCE exposure next: CVE-2025-60724 (GDI+) and CVE-2025-62199 (Office), especially where file rendering/parsing pipelines exist (email gateways, document processing, VDI/RDS user estates). (Tenable®)
- Target high-impact niches: Nuance PowerScribe environments (often sensitive data), and developer fleets using Visual Studio with relevant features enabled. (CrowdStrike)