Op-Ed: Microsoft publishes 66 new vulnerabilities for November’s Patch Tuesday

You’re out of free articles for this month

Five browser vulnerabilities and a dozen or so fixes for Azure Linux (aka Mariner) have already been revealed individually this month and aren’t included within the whole.

CVE-2025-60724 is immediately’s non-publicly-disclosed, critical-severity, exploited-in-the-wild zero-day. Worse, it’s prone to have an effect on nearly each asset working Microsoft software program. As the advisory notes, within the worst-case situation, an attacker might exploit this vulnerability by importing a malicious doc to a weak internet service. The advisory doesn’t spell out the context of code execution, but when all the celebrities align for the attacker, the prize might be distant code execution as SYSTEM by way of the community with none want for an present foothold.

While this vulnerability nearly actually isn’t wormable, it’s clearly very critical and is definitely a high precedence for nearly anybody contemplating how you can method this month’s patches.

The weak spot underlying CVE-2025-60724 is CWE-122: Heap-based buffer overflow, an idea that celebrated its fiftieth birthday a number of years in the past. As the authors of the original 1972 paper famous: “If the code makes use of an internal buffer, there is a possibility that a user could input enough data to overwrite other portions of the program’s private storage.”

Regarding laptop safety generally, they opined that “this problem is neither hopeless nor solved. It is, however, perfectly clear […] that solutions to the problem will not occur spontaneously, nor will they come from the various well-intentioned attempts to provide security as an add-on to existing systems”.

CVE-2025-62199 describes a crucial RCE vulnerability in Microsoft Office, the place exploitation depends on the consumer downloading and opening a malicious file. The attacker is distant, and that’s sufficient to fulfill the RCE designation, even when the motion is taken on the native system by the unwitting consumer. Anyone hoping that the Preview Pane will not be a vector will probably be sadly disenchanted, and this actually will increase the chance of real-world exploitation, since there’s no want for the attacker to craft a approach round these pesky warnings about enabling harmful content material.

Just scrolling via a listing of emails in Outlook might be sufficient.

Some assaults are simple, with solely a single step wanted to achieve the end line. Others, like Visual Studio crucial RCE CVE-2025-62214, require that the attacker execute a fancy chain of occasions. In this case, exploitation calls for multi-stage abuse of the Visual Studio Copilot extension, together with immediate injection, agent interplay, and triggering a construct. The advisory doesn’t describe the context of code execution. If the prize is solely code execution on an asset within the context of the consumer, there’s no apparent development for the attacker, since exploitation already requires code execution on the asset by the attacker or the focused consumer. The temporary description of the assault chain does point out that the attacker would want to set off a construct.

On that foundation, doable outcomes would possibly embody execution in an elevated context or compromised construct artefacts, though the advisory doesn’t present sufficient data to make certain both approach.

SQL Server admins ought to be aware of CVE-2025-59499, which describes an elevation of privilege (EoP) vulnerability. Although some degree of present privileges is required, profitable exploitation will allow an attacker to run arbitrary Transact-SQL (T-SQL) instructions. T-SQL is the language that SQL Server databases and purchasers use to speak with each other. Although the default configuration for SQL Server disables the xp_cmdshell performance, which permits direct call-outs to the underlying OS, there’s a couple of method to shine a penny, and the one protected assumption right here is that exploitation will result in code execution within the context of SQL Server itself.

Patches can be found for all supported variations of SQL Server.

Following the sweeping life cycle modifications seen in October 2025, Microsoft is taking it pretty straightforward this month. The solely vital transition immediately is the top of assist for Windows 11 Home and Pro 23H2.

Unlike the demise of Windows 10, this a lot smaller change gained’t have an effect on most individuals; a small variety of older CPUs won’t make the lower, since Windows 11 24H2 introduces a requirement for a few newer CPU instruction units. Microsoft supplies lists of suitable Intel, AMD, and Qualcomm CPU sequence.