Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 13 November 2025 07:46
On November’s Patch Tuesday, Microsoft fixed 63 vulnerabilities , including a critical zero-day vulnerability that had already been exploited in attacks. This time, the fixes affected a wide range of Windows components and Microsoft products, from the operating system kernel to the Office suite and cloud solutions.
According to the company itself, the most dangerous vulnerability affected the Windows kernel and allowed for the escalation of system privileges; the vulnerability has been assigned the identifier CVE-2025-62215. The flaw allowed local privilege escalation by exploiting incorrect synchronization during resource sharing . The bug was discovered by Microsoft’s internal threat intelligence team.
Of the remaining vulnerabilities, 29 involve privilege escalation, 16 allow remote code execution, 11 provide access to sensitive information, three cause system crashes, two bypass security mechanisms, and two involve data tampering. Four of the discovered vulnerabilities have been classified as “critical,” partly due to the potential for remote code execution.
The updates affected both modern versions of Windows and legacy systems. Windows 10 received the update for the first time during extended support.
Microsoft also released an unscheduled fix for a bug that prevented users from enrolling in the ESU program . In addition to the vulnerability fixes, the company also released updates KB5066835 and KB5066793 for Windows 11 and build KB5068781 for Windows 10.
In addition to Microsoft, other vendors have also released updates. Adobe has fixed vulnerabilities in InDesign, Illustrator, Photoshop, and other products. Cisco has fixed bugs in several solutions, including ASA and user identification systems, and has raised the alarm about a new wave of attacks exploiting old vulnerabilities. A critical remote code execution bug in the JavaScript expr-eval library has been fixed .
Fortinet has released an update for FortiOS that addresses a privilege escalation issue. Google’s November Android security bulletin fixed two vulnerabilities . Additionally, Ivanti , SAP , Samsung , and QNAP have released their monthly updates in sync with Microsoft. Specifically, QNAP has fixed seven zero-day vulnerabilities demonstrated during the Pwn2Own Ireland 2025 hacking competition.
This month, vulnerabilities in Microsoft Office products, including Excel and Word, deserve special attention. Both information disclosure flaws and bugs that could allow malicious code to run when documents are opened have been fixed. Vulnerabilities have also been identified in Windows Kerberos, DirectX components, Bluetooth and Wi-Fi drivers, Remote Desktop, and the Windows Subsystem for Linux graphical user interface.
Some issues affected Visual Studio and CoPilot extensions, highlighting the vulnerabilities of the development tools.
A complete list of resolved vulnerabilities is available in Microsoft’s official documentation. Given the active exploitation of some of these vulnerabilities, it is recommended that systems be updated to the latest version as soon as possible.
Redazione