Microsoft customers warned over privilege elevation flaw

Microsoft marked the penultimate Patch Tuesday of 2025 with an replace lighter than of late, addressing a mere 63 frequent vulnerabilities and exposures (CVEs) throughout its product property – a far cry from lots of its current drops averaging nicely over 100 – and a solitary zero-day flaw.

Tracked as CVE-2025-62215, this month’s single zero-day is an elevation of privilege (EoP) vulnerability within the Home windows Kernel that sits on the core of Microsoft’s working system. It carries a CVSS rating of simply 7.0, and isn’t rated crucial in its severity, nonetheless, exploitation has been noticed within the wild, though no public proof-of-concept has but been launched.

Ben McCarthy, lead cyber safety engineer at Immersive, defined that the basis explanation for the problem stems from two mixed weaknesses one a race situation wherein a couple of course of tries to entry shared information and alter it concurrently, the opposite a double free reminiscence administration error.

“An attacker with low-privilege native entry can run a specifically crafted utility that repeatedly makes an attempt to set off this race situation,” he defined. “The purpose is to get a number of threads to work together with a shared kernel useful resource in an unsynchronised manner, complicated the kernel’s reminiscence administration and inflicting it to free the identical reminiscence block twice.

“This profitable double-free corrupts the kernel heap, permitting the attacker to overwrite reminiscence and hijack the system’s execution stream.”

McCarthy added: “Organisations should prioritise making use of the patch for this vulnerability. Whereas a 7.0 CVSS rating won’t all the time high a patch record, the lively exploitation standing makes it a crucial precedence. A profitable exploit grants the attacker System privileges, permitting them to utterly bypass endpoint safety, steal credentials, set up rootkits, and carry out different malicious actions. This can be a crucial hyperlink in an attacker’s post-exploitation playbook.”

In the actual world, stated Mike Walters, president and co-founder of Action1, there are three core enterprise impacts that will probably come up from a profitable compromise by way of CVE-2025-62215. Walters highlighted the potential for mass credential publicity arising from the compromise of crucial file servers, lateral motion and ransomware deployment, and regulatory, monetary and reputational hurt from information leakage or different operational disruption.

“Exploitation is advanced,” he famous, “however a useful exploit seen within the wild raises urgency, since expert actors can reliably weaponise this in focused campaigns.”

Additionally excessive on the agenda for November is CVE-2025-60724 an RCE vulnerability in Graphics Gadget Interface Plus (GDI+), which carries a CVSS rating of 9.8. GDI+ is a comparatively low-level element however is chargeable for rendering 2D graphics, pictures and textual content and due to this fact gives core performance a number of Microsoft purposes – and numerous third-party applications, too.

Adam Barnett, Rapid7 lead software program engineer, stated this was as near a zero-day because it was attainable to get and prone to have an effect on nearly each asset working Microsoft software program.

“Within the worst-case situation, an attacker might exploit this vulnerability by importing a malicious doc to a weak net service,” he stated.

“The advisory doesn’t spell out the context of code execution, but when all the celebrities align for the attacker, the prize might be distant code execution as System by way of the community with none want for an current foothold. Whereas this vuln virtually actually isn’t wormable, it’s clearly very severe and is unquestionably a high precedence for almost anybody contemplating how one can strategy this month’s patches.”

Action1’s Walters added: “That is emergency-level: a network-reachable RCE with no person interplay and low assault complexity is among the many most harmful bugs. Server compromise, tenant impression in multi-tenant programs, and the potential for speedy mass exploitation make this a high precedence. 

“Exploitation might take time to excellent as a result of attackers should construct dependable allocator and interpreter manipulations that bypass mitigations like CFG, ASLR, and DEP. Nonetheless, GDI+ and picture parsing bugs have a historical past of being weaponised rapidly.”