Microsoft Patch Tuesday for November 2025 — Snort rules and prominent vulnerabilities

Microsoft’s November 2025 Patch Tuesday addresses 63 vulnerabilities across its product line, with five designated as critical. One vulnerability, CVE-2025-62215, is already being exploited in the wild, highlighting the urgency for security teams to deploy these updates. The critical vulnerabilities span various components, including GDI+, Microsoft Office, Visual Studio, and the DirectX Graphics Kernel, potentially leading to remote code execution (RCE) or privilege escalation.

The actively exploited vulnerability, CVE-2025-62215, is a Windows Kernel elevation of privilege flaw. It carries a CVSS score of 7.8 and stems from a race condition in the Windows Kernel, which could allow a local attacker with authorization to gain elevated privileges. Microsoft has assessed the attack complexity as low, increasing the risk profile. Among the critical vulnerabilities, CVE-2025-60724 poses a significant threat: an RCE vulnerability in GDI+ with a CVSS score of 9.8. This heap-based buffer overflow in the Microsoft Graphics Component could allow an unauthenticated attacker to execute code remotely.

Successful exploitation of CVE-2025-60724 can occur if a victim downloads and opens a specially crafted metafile. Web services that parse such files are also vulnerable, even without user interaction, potentially leading to RCE or information disclosure. Other critical vulnerabilities include CVE‑2025‑30398, an information disclosure vulnerability in Nuance PowerScribe 360; CVE‑2025‑62199, an RCE vulnerability in Microsoft Office; CVE‑2025‑60716, a DirectX Graphics kernel elevation of privilege vulnerability; and CVE‑2025‑62214, an RCE vulnerability in Visual Studio.

Microsoft has assessed that exploitation is less likely for the critical vulnerabilities beyond the one being actively exploited. Several important vulnerabilities have been labeled by Microsoft as more likely to be exploited, including CVE‑2025‑59512 (Customer Experience Improvement Program (CEIP) Elevation of Privilege Vulnerability) and multiple Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerabilities (CVE-2025-60719, CVE-2025-62217, CVE-2025-62213). Defenders should prioritize these issues.

To address these vulnerabilities, Talos is releasing new Snort rules (65496-65501, 65507-65510, and Snort 3 rules 301343-301345, 301347, 301348) to detect exploitation attempts. Cisco Security Firewall customers should update their SRU to receive the latest protection. Open-source Snort Subscriber Ruleset customers can download the latest rule pack from Snort.org. Security teams should promptly apply these updates and monitor their systems for any signs of exploitation, especially focusing on the actively exploited CVE-2025-62215 and the high-risk CVE-2025-60724.

To read the complete article see: https://blog.talosintelligence.com/microsoft-patch-tuesday-november-2025/