Microsoft on Tuesday released patches for 63 new security vulnerabilities identified in its software. This includes vulnerabilities that are actually being exploited.
Of the 63 deficiencies, 4 were rated as critical and 59 were rated as critical. 29 of these vulnerabilities are related to privilege escalation, followed by 16 for remote code execution, 11 for information disclosure, three for denial of service (DoS), two for security feature bypass, and two for spoofing bugs.
This patch adds to the 27 vulnerabilities that the Windows manufacturer has addressed in the Chromium-based Edge browser since the release of the October 2025 Patch Tuesday update.
The zero-day vulnerability listed as exploited in Tuesday’s update is CVE-2025-62215 (CVSS score: 7.0), a privilege elevation flaw in the Windows kernel. Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) are credited with discovering and reporting this issue.
“Concurrency using shared resources with improper synchronization (a ‘race condition’) in the Windows kernel could allow an authorized attacker to locally escalate privileges,” the company said in an advisory.
However, a successful exploit depends on whether the attacker has already gained a foothold in the system to win the race condition. If this criterion is met, an attacker could potentially gain SYSTEM privileges.
“An attacker with low-privileged local access could run a specially crafted application that repeatedly attempts to trigger this race condition,” said Ben McCarthy, lead cybersecurity engineer at Immersive.
“The goal is to disrupt the kernel’s memory management by allowing multiple threads to interact with shared kernel resources in an asynchronous manner, causing the same block of memory to be freed twice. If this ‘double free’ is successful, the kernel heap becomes corrupted, allowing an attacker to overwrite memory and hijack the system’s execution flow.”
It is currently unknown how and by whom this vulnerability is being exploited, but it is being used as part of post-exploitation activities to escalate privileges after gaining initial access through other means, such as social engineering, phishing, or exploitation of another vulnerability, said Satnam Narang, senior staff research engineer at Tenable.
“When chained with other bugs, this kernel conflict becomes significant. An RCE or sandbox escape can provide the local code execution needed to turn a remote attack into a SYSTEM takeover, and an initial low-privileged foothold can be escalated to dump credentials and move laterally,” Mike Walters, president and co-founder of Action1, said in a statement.
Two heap-based buffer overflow flaws in Microsoft’s Graphics Components (CVE-2025-60724, CVSS Score: 9.8) and Windows Subsystem for Linux GUI (CVE-2025-62220, CVSS Score: 8.8) were also fixed as part of the update, potentially leading to remote code execution.
Another notable vulnerability is the Windows Kerberos High Severity Elevation of Privilege Flaw (CVE-2025-60704, CVSS Score: 7.5). This takes advantage of the missing encryption step to gain administrative privileges. This vulnerability is codenamed CheckSum by Silverfort.
“In order to read or modify network communications, an attacker must insert themselves into the logical network path between the target and the resource requested by the victim,” Microsoft said. “An unprivileged attacker must wait until the user initiates the connection.”
Silverfort researchers Eliran Partush and Dor Segal, who discovered the flaw, described it as a Kerberos constrained delegation vulnerability that allows an attacker to impersonate any user and take control of an entire domain via a man-in-the-middle (AitM) attack.
An attacker who successfully exploited this flaw could escalate their privileges and potentially move laterally to other machines within an organization. Even more concerning is that an attacker could impersonate any user within your company and gain unfettered access or even become a domain administrator.
“Organizations using Active Directory with Kerberos delegation enabled are affected,” Silverfort said. “Because Kerberos delegation is a feature within Active Directory, an attacker must first gain access to the environment using compromised credentials.”
Software patches from other vendors
Over the past few weeks, in addition to Microsoft, other vendors have released security updates that fix several vulnerabilities, including:
Adobe Amazon Web Services AMD Apple ASUS Atlassian AutomationDirect Bitdefender Broadcom (includes VMware) Cisco Citrix ConnectWise D-Link Dell Devolutions Drupal Elastic F5 Fortinet GitLab Google Android Google Chrome Google Cloud Grafana Hitachi Energy HP HP Enterprise (includes Aruba Networking and Juniper Networks) IBM Intel Ivanti Jenkins Lenovo Linux Distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu MediaTek Mitsubishi Electric MongoDB Moxa Mozilla Firefox and Firefox ESR NVIDIA Oracle Palo Alto Networks QNAP Qualcomm Rockwell Automation Ruckus Wireless Samba Samsung SAP Schneider Electric Siemens SolarWinds SonicWall Splunk Spring Framework Supermicro Synology TP-Link WatchGuard, Zoom
Source link
