On 2025-11-12, Microsoft released security patches addressing 63 vulnerabilities, including an actively exploited zero-day in the Windows Kernel. The zero-day vulnerability, identified by Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC), involves a race-condition privilege escalation flaw.
Critical Vulnerabilities Addressed
The November update contains four Critical and 59 Important vulnerabilities. Key types include privilege escalation (29), remote code execution (16), information disclosure (11), denial-of-service (3), security feature bypass (2), and spoofing bugs (2).
- The zero-day is rated CVSS 7.0 and allows privilege escalation via a race condition.
- A Critical buffer overflow in Microsoft's Graphics Component (CVSS 9.8) can lead to remote code execution.
- Updates also involve the Chromium-based Edge browser.
Exploitation Details
The zero-day vulnerability in the Windows Kernel allows an attacker, who already has local access, to elevate their privileges to SYSTEM level. This has been exploited post-initial access through social engineering or chaining with other vulnerabilities for comprehensive system takeover. Ben McCarthy from Immersive explained that a crafted application exploiting this flaw can trigger kernel heap corruption.
When combined with other vulnerabilities, this flaw can facilitate credential theft and lateral movement within networks. The vulnerability poses significant risk when exploited together with remote code execution bugs or sandbox escapes.
Industry Reactions and Updates
Analysts note the strategic importance of promptly applying these patches, given the ongoing exploitation in the wild. In response to these vulnerabilities, other vendors, including several Linux distributions and Mozilla, have issued related security updates. This coordinated response underscores the critical nature of the threats addressed.
