A zero day elevation of privilege Windows kernel flaw in servers, controllers, and desktops is being actively exploited and needs to be patched immediately.
That’s the advice of Satnam Narang, senior staff research engineer at Tenable, on one of the two biggest vulnerabilities that needs to be addressed from among the 63 holes identified by Microsoft in today’s November Patch Tuesday releases.
Separately, SAP today released four HotNews Notes and two HighPriority Notes among its 26 new and updated security patches. One patch deletes the SQL Anywhere Monitor because of hard-coded credentials.
Also today, Adobe released eight updates, while Mozilla released three.
Windows kernel flaw
The most urgent of the Microsoft holes to be addressed is CVE-2025-62215 (the Windows kernel vulnerability),” Narang told CSO in an email. “While there is a substantial prerequisite to exploit the bug, Microsoft confirmed active exploitation is underway. The consequences cannot be ignored, as elevation of privilege vulnerabilities are the keys to opening other doors within the organization. This is how attackers go from initial foothold to full-blown breach.”
And, Mike Walters, president of Action1, points out, this vulnerability impacts servers and domain controllers as much as desktops.
Chris Goettl, vice president of product management at Ivanti, notes that this vulnerability affects all currently supported Windows OS editions plus the Windows 10 machines covered by the ESU (Extended Security Updates) program, “which means running Windows 10 past the end-of life (EOL) is not a hypothetical risk.”
Ben McCarthy, lead cyber security engineer at Immersive, explained how this hole can be exploited. An attacker with low-privilege local access can run a specially crafted application that repeatedly attempts to trigger a race condition. The goal is to get multiple threads to interact with a shared kernel resource in an unsynchronized way, confusing the kernel’s memory management and causing it to free the same memory block twice. This successful “double free” corrupts the kernel heap, allowing the attacker to overwrite memory and hijack the system’s execution flow.
Microsoft says while the attack complexity to exploit this hole is high — successful exploitation requires an attacker to win a race condition — the privileges required are low. And the prize is great: An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Those in the Windows ESU program should note that, according to Nick Carroll, cyber incident response manager at Nightwing, some users have been reporting issues enrolling in the Extended Security Update program. Microsoft has recently released an out-of-band update to address issues when users try to enroll in the Windows 10 Consumer Extended Security Update program, he said. Admins planning to participate in the program should make sure to update and install KB5071959 to address the enrollment issues. After that is installed, users should be able to install other updates such as today’s KB5068781, which is the latest update to Windows 10.
Flaw in Visual Studio Copilot Extension
The second major vulnerability is CVE-2025-62222, a remote code execution flaw in Microsoft Visual Studio Code Copilot Chat Extension.
While it is rated as less likely to be exploited, Narang said, it “underscores a growing interest in finding bugs in generative AI or agentic AI, which encompasses large language models, whether foundational models or open source models, and the AI-assisted code editing tools.”
Researchers at Cisco Systems said exploitation is not trivial for this vulnerability, as it requires multiple steps: prompt injection, Copilot Agent interaction, and triggering a build. Cisco notes that Microsoft assessed that the attack complexity is “high”, and that exploitation is “less likely”.
CSOs should already be addressing emerging AI risks with governance and policy enforcement, added Narang. “If Shadow AI and unchecked sanctioned AI usage run rampant through their organization, CSOs must modify their strategy to govern this emerging, complex attack surface before it’s too late.”
Kerberos vulnerability
Among the fixes released is one for CVE-2025-60704, a Kerboros delegation vulnerability in Active Directory dubbed CheckSum by researchers at Silverfort, who discovered it. If exploited, an attacker could impersonate an authenticated user, escalate privileges and stay hidden.
Because Kerberos is a way to enable applications to authenticate securely on behalf of users, abuse of it can be dangerous, Silverfort says in an explanation of this vulnerability. Using a man-in-the-middle technique, the flaw allows researchers to impersonate arbitrary users and ultimately gain control over the entire domain.
“Any organization using Active Directory with the Kerberos delegation capability turned on is impacted,” says Silverfort. “This means thousands of companies around the world are affected by this vulnerability.”
Microsoft Graphics Component flaw
Tyler Reguly, associate director of R&D at Fortra, was drawn to CVE-2025-60724, one of several vulnerabilities rated critical in severity. It’s a heap-based buffer overflow in Microsoft Graphics Component that could allow an unauthorized attacker to execute code over a network.
He notes that Microsoft says, “in the worst-case scenario, an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile without user interaction.”
“If I’m a CISO, then CVE-2025-60724 has me worried this month,” he told CSO. “We have a vulnerability that Microsoft and CVSS agree is critical and an attack vector that requires no user interaction and no privileges, just the ability to upload a file. We know nothing about the file type, the technologies that are impacted (other than GDI+ in the title), or the services impacted. Do I need to worry about my SharePoint infrastructure? What about third-party software – my wiki or my bug tracker? This is definitely one that feels a little spooky without a lot of extra details being provided.”
Cisco explains the vulnerability can be triggered by convincing a victim open a document that contains a specially crafted metafile.
“In the worst-case scenario,” its researchers write, “an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile without user interaction. An attacker doesn’t require any privileges on the systems hosting the web services. Successful exploitation of this vulnerability could cause RCE or information disclosure on web services that are parsing documents that contain a specially crafted metafile, without the involvement of a victim user.”
SAP patches
The patches released by SAP today include some Notes that are updates to previously related fixes. That includes two HotNews patches. But there are new two patches, rated high priority by Onapsis, dealing with SAP Commerce Cloud (with a CVSS score of 7.5) and SAP CommonCryptoLib (also with a score of 7.5).
One of the notes, #3666261, has a CVSS score of 10. It deals with an insecure key and secret management vulnerability in SQL Anywhere Monitor with hard-coded credentials. SQL Anywhere Monitor is a browser-based administration tool that gives admins information about the health and availability of SQL Anywhere databases, MobiLink servers, and MobiLink server farms. It can also provide information about the availability of web servers, proxy servers, and host computers;
The patch removes SQL Anywhere Monitor completely, say researchers at Onapsis. As a temporary workaround, SAP recommends that admins stop using this tool and delete any instances of SQL Anywhere Monitor database.
Another note to pay attention to, #3668705 (CVE-2025-42887) patches a code injection vulnerability in SAP Solution Manager. Due to missing input sanitization in a remote-enabled function module, authenticated attackers are able to inject malicious code into the system. Rated with a CVSS score of 9.9, this vulnerability is patched by adding an input check that rejects most of the non-alphanumeric characters.
“CVE-2025-42887 is particularly dangerous because it allows an attacker to inject code from a low-privileged user, which leads to a full SAP compromise and all data contained in the SAP system,” notes Joris van de Vis, director of security research at SecurityBridge.
Onapsis CTO Juan Pablo Perez-Etchegoyen also says admins need to deal quickly with Note #3633049. “Despite this being a CVSS 7.5,” he said in an email to CSO, “it is a memory corruption potentially exploitable remotely pre-authentication, and these types of vulnerability tend to be very critical because of their nature and potential for denial of service and system compromise.”
However, with many of these vulnerabilities, patching alone is not enough: architecture, exposure, segmentation, and monitoring still matter, advises Mike Walters of Action1. “CSOs need to involve not just patching teams, but also service owners (print, scan, document sharing, remote access), network/security teams (for segmentation and exposure control), and logging/monitoring teams (for post-patch verification),” he said.