Patch Tuesday November 2025: Actively Exploited Windows Kernal Zero-Day and  Windows 10’s New ESU Era

Microsoft’s November 2025 Patch Tuesday marks a significant milestone in the Windows ecosystem, delivering fixes for 63 vulnerabilities including an actively exploited Windows Kernel privilege escalation zero-day vulnerability, while simultaneously becoming the first Patch Tuesday where Windows 10 devices require Extended Security Updates (ESU) enrolment to receive patches. This month’s release represents a dramatic shift from October’s record-breaking 172 vulnerabilities, yet the presence of CVE-2025-62215, a race condition vulnerability being actively exploited in the wild, elevates the urgency for IT professionals and MSPs managing Windows environments. For organizations still navigating the Windows 10 end-of-support transition, Microsoft’s emergency out-of-band update KB5071959 addresses critical ESU enrollment failures that have left many systems unable to receive security updates.

Microsoft Vulnerabilities

Microsoft addressed 63 vulnerabilities this November, a substantial decrease from the previous month’s 172 patches, with four rated as Critical and 59 as Important. The standout vulnerability demanding immediate attention is CVE-2025-62215, a Windows Kernel elevation of privilege flaw that Microsoft’s Threat Intelligence Center (MSTIC) confirmed is Under Active Exploitation. This race condition vulnerability, carrying a CVSS score of 7.0, allows an authorized local attacker to gain SYSTEM privileges by exploiting improper synchronization when accessing shared kernel resources. While the attacker must win a race condition for successful exploitation such vulnerabilities are frequently paired with code execution bugs by malware to achieve complete system compromise.

The critical vulnerabilities addressed this month present significant risks across multiple attack vectors. CVE-2025-60724, with the highest CVSS score of 9.8, is a heap-based buffer overflow in the Windows GDI+ graphics component that could enable remote code execution. An attacker could exploit this vulnerability by convincing a user to open a specially crafted document containing a malicious metafile, or more concerning, by targeting web services that parse documents without any user interaction. CVE-2025-62199, a use-after-free vulnerability in Microsoft Office, poses particular concern as Microsoft notes the Preview Pane is an attack vector, meaning exploitation doesn’t require users to open malicious files — merely previewing them in Outlook could trigger the vulnerability.

Additional critical vulnerabilities include CVE-2025-62214 affecting Visual Studio through command injection, and CVE-2025-30398 in Nuance PowerScribe 360, which exposes sensitive information including personally identifiable information through missing authorization checks. Microsoft also addressed multiple elevation of privilege vulnerabilities in the Windows Ancillary Function Driver for WinSock, including CVE-2025-60719, CVE-2025-62217, and CVE-2025-62213, all assessed as Exploitation More Likely by Microsoft’s exploitability index.

Changes in Microsoft Word Default Save Location

The default behavior for Microsoft Word save locations is being changed.

“Starting today, new documents in Word desktop on Windows (Insiders) now save directly to OneDrive, with autosave enabled,” according to a Copilot and OneDrive announcement.

While this shouldn’t have an impact on most users there will be a subset that this change creates technical and security complications for. Helpdesk teams and Security teams should be primed on these changes and be prepared with established playbooks on how to assist users.

Windows 10 ESU: Navigating the First Post-Support Patch Tuesday

The November 2025 Patch Tuesday represents a watershed moment for Windows 10 deployments, as it’s the first security update requiring Extended Security Updates (ESU) enrollment following the operating system’s end of support on October 14, 2025. Microsoft’s consumer ESU program offers three enrollment paths: free for users backing up to OneDrive, through Microsoft Rewards points redemption, or via a $30 one-time purchase for one year of updates. Enterprise customers face escalating costs of $61 for year one, doubling annually for up to three years, bringing the total potential cost to $427 per device.

As with most significant changes to Windows Update mechanisms, the rollout of ESU has encountered some challenges. Microsoft released emergency out-of-band update KB5071959 to address enrollment failures that displayed “Something went wrong” errors or indicated ESU was “temporarily unavailable” in certain regions, particularly affecting users in the European Economic Area. Reports indicate that without this fix, affected systems cannot receive the November security updates or any future patches. Organizations and individuals still running Windows 10 must first install KB5071959, complete ESU enrollment, and then check for the November cumulative update KB5068781.

Looking ahead, IT professionals managing Windows 10 fleets face critical decisions. While ESU provides a temporary security lifeline, it represents a stopgap measure rather than a long-term solution. The end of on-premises Exchange Server support and fewer standalone Microsoft applications signal Microsoft’s continued push toward cloud services and Windows 11 adoption. Organizations should use the ESU period to develop migration strategies, whether to Windows 11, alternative operating systems like Linux for incompatible hardware, or cloud-based solutions such as Windows 365.

Security teams should also prepare for the evolving threat landscape targeting Windows 10 systems. The long tail of Windows XP persistence in manufacturing and industrial systems demonstrated that unsupported systems can become prime targets for exploitation even when they represent a very small portion of the install base. The presence of an actively exploited kernel vulnerability in this month’s patches underscores that attackers continue developing sophisticated exploit chains, making timely patching more critical than ever.

Vulnerability Prioritization

Effective vulnerability management requires moving beyond single-dimensional severity assessments to incorporate temporal risk factors and real-world exploitation data. While CVSS scores provide a baseline understanding of technical impact, they fail to account for the window of vulnerability — the critical period between disclosure and patch deployment where exploitation risk escalates exponentially. MSPs should implement automated risk scoring frameworks that integrate multiple intelligence sources: CISA Known Exploited Vulnerabilities listings for confirmed active threats, Microsoft’s Exploitability Index assessments for likelihood metrics, Exploit Prediction Scoring System scores, and threat intelligence feeds for emerging threats targeting known vulnerabilities. This multi-dimensional approach ensures that vulnerabilities under active exploitation receive immediate prioritization regardless of their nominal severity rating, while accounting for both the technical impact and the operational reality of exploit availability. Organizations that continue relying exclusively on severity-based patching schedules expose themselves to preventable compromises, particularly from zero-day and publicly disclosed vulnerabilities that threat actors weaponize within hours of disclosure.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, EU = Exploitation Unlikely, N/A = Not Available

Summary

As organizations look to strengthen their cyber resilience, they should integrate third-party patching priorities into their existing patch management routines, ensuring that traditionally Microsoft-focused processes expand to address the multi-vendor threat landscape that characterizes modern environments. The convergence of Actively Exploited vulnerabilities across multiple platforms underscores the importance of comprehensive, risk-based patch management strategies that extend beyond severity ratings to encompass real-world exploitation patterns and business-critical system exposure.

As always, make sure you have established patching processes for evaluation, testing, and pushing into production. If your approach has typically centered around patching based on severity alone, it’s crucial to expand your patch management strategies. Integrate priority handling into your Patch Management routines for patches related to zero-day vulnerabilities, vulnerabilities with Detected Exploitations, and those with a higher likelihood of exploitation. The convergence of Actively Exploited vulnerabilities across multiple vendors underscores the need for comprehensive, risk-based approaches that extend beyond traditional Microsoft-focused patch management to address the multi-vendor reality of modern business networks. 

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out the Patch Management section of our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on

LinkedIn: thesecuritypope

Twitch: cybersec_nerd