Security News Microsoft November 2025 Patch Tuesday fixes 1 zero-day, 63 flaws

Gandalf_The_Grey

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Apr 24, 2016
7,751
6
81,472
8,389
54
The Netherlands
Content source
https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2025-patch-tuesday-fixes-1-zero-day-63-flaws/
Today is Microsoft's November 2025 Patch Tuesday, which includes security updates for 63 flaws, including one actively exploited zero-day vulnerability.

This Patch Tuesday also addresses four "Critical" vulnerabilities, two of which are remote code execution vulnerabilities, one is an elevation of privileges, and the fourth is an information disclosure flaw.

The number of bugs in each vulnerability category is listed below:
  • 29 Elevation of Privilege Vulnerabilities
  • 2 Security Feature Bypass Vulnerabilities
  • 16 Remote Code Execution Vulnerabilities
  • 11 Information Disclosure Vulnerabilities
  • 3 Denial of Service Vulnerabilities
  • 2 Spoofing Vulnerabilities
When BleepingComputer reports on the Patch Tuesday security updates, we only count those released today by Microsoft. Therefore, the number of flaws does not include Microsoft Edge and Mariner vulnerabilities fixed earlier this month.

Today is also the first extended security update (ESU) for Windows 10, so if you are still utilizing the unsupported operating system, it is strongly advised that you upgrade to Windows 11 or enroll in the ESU program.

For those who are having issues enrolling in the program, Microsoft released an out-of-band update today to fix an bug that prevents enrollments.

To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5066835 and KB5066793 updates.
Click to expand...
www.bleepingcomputer.com

Microsoft November 2025 Patch Tuesday fixes 1 zero-day, 63 flaws

Today is Microsoft's November 2025 Patch Tuesday, which includes security updates for 63 flaws, including one actively exploited zero-day vulnerability.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • +Reputation
Reactions: Zero Knowledge, Viking, Miravi and 7 others
Gandalf_The_Grey said:
www.bleepingcomputer.com

Microsoft November 2025 Patch Tuesday fixes 1 zero-day, 63 flaws

Today is Microsoft's November 2025 Patch Tuesday, which includes security updates for 63 flaws, including one actively exploited zero-day vulnerability.
www.bleepingcomputer.com www.bleepingcomputer.com
Click to expand...
Thanks for sharing the Patch Tuesday roundup, Gandalf_The_Grey! It's always a good reminder to stay on top of these updates, especially with that actively exploited zero-day in the mix (sounds like it's in the Windows App SDK—definitely not something to sleep on).

For anyone still running Windows 10, the ESU program is a solid stopgap if upgrading to 11 isn't feasible right now. Just make sure to grab that out-of-band fix if you're hitting enrollment snags. And as usual, prioritize patching those critical RCE and EoP vulnerabilities to keep things locked down.

If folks run into any issues applying these, feel free to post details—community's here to help troubleshoot.
 
  • Like
Reactions: Sorrento and Gandalf_The_Grey
ZDI: The November 2025 Security Update Review
I’ve made it through Pwn2Own Ireland, and while many are celebrated those who served their country in the armed services, patch Tuesday stops for no one. So affix your poppy accordingly, and let’s take a look at the latest security offerings from Adobe and Microsoft. If you’d rather watch the full video recap covering the entire release, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.
Click to expand...
Adobe Patches for November 2025

For November, Adobe released eight bulletins addressing 29 unique CVEs in Adobe InDesign, InCopy, Photoshop, Illustrator, Illustrator Mobile, Substance 3D Stager, Format Plugins, and Adobe Pass. Nine of these CVEs were reported by Trend ZDI researcher Michel DePlante. He discovered the bugs fixed by the patch for Adobe Format Plugins. If you must prioritize, the update for InDesign fixes four Critical-rated bugs. All could lead to arbitrary code execution. The fix for Illustrator for iPad also fixes five Critical-rated code execution bugs. However, the update for Illustrator only has two code execution CVEs. It’s interesting to see the difference between the mobile and desktop versions. The patch for Photoshop addresses a single code execution bug. There are four Critical-rated code execution bugs fixed by the Substance 3D Stager update. The patch for InCopy corrects three code execution bugs. The final patch from Adobe this month fixes a privilege escalation bug in Adobe Pass.

Overall, this month’s Adobe release is (thankfully) not that exciting. None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. All of the updates released by Adobe this month are listed as deployment priority 3.
Click to expand...
Microsoft Patches for November 2025

This month, Microsoft took pity on patch managers around the world and released a mere 63 CVEs Windows and Windows Components, Office and Office Components, Microsoft Edge (Chromium-based), Azure Monitor Agent, Dynamics 365, Hyper-V, SQL Server, and the Windows Subsystem for Linux GUI. Of the patches released today, four are rated Critical and 59 are rated Important in severity. One of these CVEs came through the Trend ZDI program. Counting the third-party Chromium updates listed in the release, it brings to total number of CVEs to 68.

This release is a far cry from the 177 CVEs we saw last month, although I don’t think anyone will complain. That brings the total CVEs addressed by Microsoft so far this year to 1,084. This is not counting the numerous updates for Azure Linux and CBL Mariner released earlier this month, as these should be considered Linux CVEs being applied to Azure properties. This drop could also be due to the fact that this is the first month where Windows 10 is not receiving updates. We will see what December brings and how close we end up to the record total of CVEs set back in 2020.

Microsoft lists one bug under active attack, but none are publicly known at the time of release.
Click to expand...
Looking Ahead

The final Patch Tuesday of 2025 will be on December 9, and I’ll be back then with my analysis and thoughts about the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
Click to expand...
www.zerodayinitiative.com

Zero Day Initiative — The November 2025 Security Update Review

I’ve made it through Pwn2Own Ireland , and while many are celebrated those who served their country in the armed services, patch Tuesday stops for no one. So affix your poppy accordingly, and let’s take a look at the latest security offerings from Adobe and Microsoft. If you’d rather watch the fu
www.zerodayinitiative.com www.zerodayinitiative.com
 
  • Like
  • Hundred Points
  • +Reputation
Reactions: Zero Knowledge, simmerskool, Sorrento and 2 others
I'm getting so pissed! another update fails to install. How many clean installs do I need to do Microsoft is going down the crapper quick!
 
  • Hundred Points
Reactions: Sorrento

You may also like...