Microsoft has addressed 63 vulnerabilities in its November 2025 security update release, almost one third from October’s record-breaking 172 patches. This month’s updates address one actively exploited zero-day vulnerability and five Critical vulnerabilities, along with 57 additional vulnerabilities of varying severity levels. There were no publicly disclosed vulnerabilities this month. 微软在2025年11月的安全更新中修复了63个漏洞,数量几乎是10月份创纪录的172个补丁的三分之一。本月的更新修复了一个被主动利用的零日漏洞和五个关键漏洞,以及57个不同严重等级的其他漏洞。本月没有公开披露的漏洞。
Windows 10 Extended Security Updates Begin Windows 10扩展安全更新开始
在分析11月补丁之前,我们必须注意到,本月标志着Windows 10在2025年10月14日终止支持后,首次发布扩展安全更新(ESU)。仍在运行Windows 10的组织必须注册ESU计划才能接收安全更新,微软要求主机升级到22H2版本才有资格。对于遇到注册问题的用户,微软发布了一个带外更新以解决阻止ESU注册的错误。更多信息可在此处找到。
November 2025 Risk Analysis 2025年11月风险分析 This month’s leading risk types by exploitation technique are elevation of privilege with 29 patches (46%), remote code execution (RCE) with 16 patches (25%), and information disclosure with 11 patches (18%). 本月按利用技术划分的主要风险类型是权限提升,有29个补丁(46%),其次是远程代码执行(RCE),有16个补丁(25%),以及信息泄露,有11个补丁(18%)。
Figure 1. Breakdown of November 2025 Patch Tuesday exploitation techniques 图1. 2025年11月补丁星期二利用技术细分
Microsoft Windows received the most patches this month with 39, followed by Microsoft Office with 12 and Developer Tools with 5. 本月微软Windows收到的补丁最多,有39个,其次是Microsoft Office,有12个,开发工具则有5个。
Figure 2. Breakdown of product families affected by November 2025 Patch Tuesday 图2. 受2025年11月补丁星期二影响的产品系列细分
Zero-Day Vulnerability in Windows Kernel Windows内核中的零日漏洞 CVE-2025-62215 is an Important elevation of privilege vulnerability affecting Windows kernel and has a CVSS score of 7.0. This vulnerability allows authenticated local attackers with low privileges to elevate their privileges to SYSTEM level by exploiting a race condition weakness in Windows kernel through local access to the system. CVE-2025-62215是一个影响Windows内核的重要权限提升漏洞,CVSS评分为7.0。该漏洞允许经过身份验证的低权限本地攻击者,通过本地访问系统并利用Windows内核中的竞争条件弱点,将其权限提升至SYSTEM级别。
There is evidence of active exploitation in the wild. Microsoft has attributed the discovery to the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) but has not shared details about how the vulnerability was exploited. The vulnerability affects all supported versions of Windows systems and requires local access, low privileges, and no user interaction to exploit. Microsoft notes attack complexity is high. 有证据表明该漏洞在野外被主动利用。微软将发现归功于微软威胁情报中心(MSTIC)和微软安全响应中心(MSRC),但未分享漏洞被利用的细节。该漏洞影响所有受支持的Windows系统版本,需要本地访问、低权限且无需用户交互即可利用。微软指出攻击复杂度很高。
When successfully exploited, attackers can gain SYSTEM privileges by winning a race condition, potentially allowing them to completely compromise the confidentiality, integrity, and availability of affected Windows systems. This marks the 11th elevation of privilege vulnerability patched in the Windows kernel in 2025, with five in the October 2025 Patch Tuesday release. 当成功利用时,攻击者可以通过赢得竞争条件获得SYSTEM权限,从而可能完全破坏受影响Windows系统的机密性、完整性和可用性。这标志着2025年Windows内核中修复的第11个权限提升漏洞,其中五个出现在2025年10月的补丁星期二发布中。
Table 1. Important zero-day vulnerability in Windows kernel 表1. Windows内核中的重要零日漏洞 | 严重性 | CVSS评分 | CVE | 描述 | | :— | :— | :— | :— | | 重要 | 7.0 | CVE-2025-62215 | Windows内核权限提升漏洞 |
Critical Vulnerability in Microsoft Graphics Component (GDI+) 微软图形组件(GDI+)中的关键漏洞 CVE-2025-60724 is a Critical remote code execution vulnerability affecting Microsoft Graphics Component (GDI+) and has a CVSS score of 9.8, the highest severity rating this month. It had not been publicly disclosed, and there is no evidence of active exploitation in the wild. CVE-2025-60724是一个影响微软图形组件(GDI+)的关键远程代码执行漏洞,CVSS评分为9.8,是本月的最高严重性评级。该漏洞此前未被公开披露,也没有证据表明在野外被主动利用。
This vulnerability allows unauthenticated remote attackers to execute arbitrary code by exploiting a heap-based buffer overflow weakness in GDI+ over a network connection. An attacker could exploit this vulnerability by convincing a victim to download and open a document containing a specially crafted metafile. In the worst-case scenario, an attacker could exploit this vulnerability on web services by uploading documents containing a specially crafted metafile without user interaction, affecting systems that parse documents with graphics content. 该漏洞允许未经身份验证的远程攻击者通过网络连接利用GDI+中的基于堆的缓冲区溢出弱点来执行任意代码。攻击者可以通过诱骗受害者下载并打开包含特制元文件的文档来利用此漏洞。在最坏的情况下,攻击者可以通过上传包含特制元文件的文档,在没有用户交互的情况下在Web服务上利用此漏洞,影响解析包含图形内容文档的系统。
When successfully exploited, attackers can achieve remote code execution or information disclosure on web services by parsing documents with specially crafted metafiles, potentially compromising systems without victim involvement. The vulnerability affects systems utilizing Microsoft Graphics Component for document rendering and graphics processing. 当成功利用时,攻击者可以通过解析带有特制元文件的文档,在Web服务上实现远程代码执行或信息泄露,从而可能在受害者未参与的情况下危害系统。该漏洞影响使用微软图形组件进行文档渲染和图形处理的系统。
Table 2. Critical vulnerability in Microsoft Graphics Component (GDI+) 表2. 微软图形组件(GDI+)中的关键漏洞 | 严重性 | CVSS评分 | CVE | 描述 | | :— | :— | :— | :— | | 关键 | 9.8 | CVE-2025-60724 | 微软图形组件远程代码执行漏洞 |
Critical Vulnerability in Nuance PowerScribe Nuance PowerScribe中的关键漏洞 CVE-2025-30398 is a Critical information disclosure vulnerability affecting Nuance PowerScribe 360 and PowerScribe One and has a CVSS score of 8.1. It has not been publicly disclosed and there is no evidence of active exploitation in the wild. CVE-2025-30398是一个影响Nuance PowerScribe 360和PowerScribe One的关键信息泄露漏洞,CVSS评分为8.1。该漏洞未被公开披露,也没有证据表明在野外被主动利用。
This vulnerability allows unauthenticated remote attackers to disclose sensitive information by exploiting missing authorization in Nuance PowerScribe over a network connection. It affects multiple versions of Nuance PowerScribe 360 (versions 4.0.1 through 4.0.9) and PowerScribe One (versions 2019.1 through 2019.10, and 2023.1 SP2 Patch 7) and can be exploited remotely with low attack complexity, requiring no privileges but requiring user interaction. 该漏洞允许未经身份验证的远程攻击者通过网络连接利用Nuance PowerScribe中缺失的授权来泄露敏感信息。它影响Nuance PowerScribe 360的多个版本(4.0.1至4.0.9)和PowerScribe One(版本2019.1至2019.10,以及2023.1 SP2 Patch 7),可以远程利用,攻击复杂度低,无需特权但需要用户交互。
When successfully exploited, attackers can disclose PowerScribe configuration settings by making an API call to a specific endpoint after a user initiates a connection, potentially causing major loss of confidentiality and integrity on affected systems. 当成功利用时,攻击者可以在用户发起连接后通过向特定端点发出API调用来泄露PowerScribe配置设置,可能导致受影响系统在机密性和完整性方面遭受重大损失。
Table 3. Critical vulnerability in Nuance PowerScribe 表3. Nuance PowerScribe中的关键漏洞 | 严重性 | CVSS评分 | CVE | 描述 | | :— | :— | :— | :— | | 关键 | 8.1 | CVE-2025-30398 | Nuance PowerScribe 360信息泄露漏洞 |
Critical Vulnerability in Microsoft Office Microsoft Office中的关键漏洞 CVE-2025-62199 is a Critical remote code execution vulnerability affecting Microsoft Office and has a CVSS score of 7.8. This vulnerability allows unauthenticated local attackers to execute arbitrary code by exploiting a use after free weakness in Microsoft Office through local access to the system with required user interaction. CVE-2025-62199是一个影响Microsoft Office的关键远程代码执行漏洞,CVSS评分为7.8。该漏洞允许未经身份验证的本地攻击者通过本地访问系统并利用Microsoft Office中的释放后使用弱点来执行任意代码,需要用户交互。
The vulnerability has not been publicly disclosed, and there is no evidence of active exploitation in the wild. The vulnerability affects Microsoft 365 Apps for Enterprise (32-bit and 64-bit), Microsoft Office LTSC 2021 and 2024 (32-bit and 64-bit), Microsoft Office 2016 (32-bit and 64-bit), Microsoft Office LTSC for Mac 2021 and 2024, and Microsoft Office for Android. Exploitation requires local access with low attack complexity, requiring no privileges but requiring user interaction. 该漏洞未被公开披露,也没有证据表明在野外被主动利用。该漏洞影响Microsoft 365 Apps for Enterprise(32位和64位)、Microsoft Office LTSC 2021和2024(32位和64位)、Microsoft Office 2016(32位和64位)、Microsoft Office LTSC for Mac 2021和2024,以及Microsoft Office for Android。利用需要本地访问,攻击复杂度低,无需特权但需要用户交互。
When successfully exploited, attackers can achieve arbitrary code execution when a user opens a malicious file. The Preview pane is an attack向量 for this vulnerability, continuing a pattern observed in similar Office vulnerabilities throughout 2023-2025 (April 2023, July 2023, December 2023, October 2024, January 2025, February 2025, April 2025, June 2025, September 2025). 当成功利用时,攻击者可以在用户打开恶意文件时实现任意代码执行。预览窗格是该漏洞的一个攻击向量,延续了2023-2025年间类似Office漏洞中观察到的模式(2023年4月、2023年7月、2023年12月、2024年10月、2025年1月、2025年2月、2025年4月、2025年6月、2025年9月)。
Table 4. Critical vulnerability in Microsoft Office 表4. Microsoft Office中的关键漏洞 | 严重性 | CVSS评分 | CVE | 描述 | | :— | :— | :— | :— | | 关键 | 7.8 | CVE-2025-62199 | Microsoft Office远程代码执行漏洞 |
Critical Vulnerability in DirectX Graphics Kernel DirectX图形内核中的关键漏洞 CVE-2025-60716 is a Critical elevation of privilege vulnerability affecting DirectX Graphics kernel and has a CVSS score of 7.0. This vulnerability allows authenticated local attackers with low privileges to elevate their privileges to SYSTEM level by exploiting a use after free weakness in Windows DirectX through local access to the system. CVE-2025-60716是一个影响DirectX图形内核的关键权限提升漏洞,CVSS评分为7.0。该漏洞允许经过身份验证的低权限本地攻击者,通过本地访问系统并利用Windows DirectX中的释放后使用弱点,将其权限提升至SYSTEM级别。
The vulnerability has not been publicly disclosed, and there is no evidence of active exploitation in the wild. The vulnerability affects all supported versions of Windows, including Windows 10 (versions 1809, 21H2, and 22H2), Windows 11 (versions 23H2, 24H2, and 25H2), and Windows Server 2019, 2022, and 2025 (including Server Core installations). Exploitation requires local access with high attack complexity, requiring low privileges but no user interaction. 该漏洞未被公开披露,也没有证据表明在野外被主动利用。该漏洞影响所有受支持的Windows版本,包括Windows 10(版本1809、21H2和22H2)、Windows 11(版本23H2、24H2和25H2)以及Windows Server 2019、2022和2025(包括Server Core安装)。利用需要本地访问,攻击复杂度高,需要低权限但无需用户交互。
When successfully exploited, attackers can gain SYSTEM privileges by winning a race condition, potentially allowing them to completely compromise the confidentiality, integrity, and availability of affected Windows systems. 当成功利用时,攻击者可以通过赢得竞争条件获得SYSTEM权限,从而可能完全破坏受影响Windows系统的机密性、完整性和可用性。
Table 5. Critical vulnerability in DirectX Graphics kernel 表5. DirectX图形内核中的关键漏洞 | 严重性 | CVSS评分 | CVE | 描述 | | :— | :— | :— | :— | | 关键 | 7.0 | CVE-2025-60716 | DirectX图形内核权限提升漏洞 |
Critical Vulnerability in Visual Studio Visual Studio中的关键漏洞 CVE-2025-62214 is a Critical remote code execution vulnerability affecting Microsoft Visual Studio 2022 version 17.14 and has a CVSS score of 6.7. This vulnerability allows authenticated local attackers with high privileges to execute arbitrary code by exploiting a command injection weakness in Visual Studio through local access to the system. CVE-2025-62214是一个影响Microsoft Visual Studio 2022版本17.14的关键远程代码执行漏洞,CVSS评分为6.7。该漏洞允许经过身份验证的高权限本地攻击者,通过本地访问系统并利用Visual Studio中的命令注入弱点来执行任意代码。
The vulnerability has not been publicly disclosed, and there is no evidence of active exploitation in the wild. The vulnerability requires local access to exploit with high attack complexity, requiring high privileges but no user interaction. 该漏洞未被公开披露,也没有证据表明在野外被主动利用。该漏洞需要本地访问才能利用,攻击复杂度高,需要高权限但无需用户交互。
When successfully exploited, attackers can achieve arbitrary code execution through a multi-step process involving prompt injection, Copilot Agent interaction, and triggering a build. 当成功利用时,攻击者可以通过涉及提示注入、Copilot Agent交互和触发构建的多步骤过程实现任意代码执行。
Table 6. Critical vulnerability in Visual Studio 2022 表6. Visual Studio 2022中的关键漏洞 | 严重性 | CVSS评分 | CVE | 描述 | | :— | :— | :— | :— | | 关键 | 6.7 | CVE-2025-62214 | Visual Studio远程代码执行漏洞 |
Patch Tuesday Dashboard in the Falcon Platform Falcon平台中的补丁星期二仪表板 For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities. 要可视化查看受本月漏洞影响的系统,您可以使用我们的补丁星期二仪表板。该仪表板位于CrowdStrike Falcon®平台内的“暴露管理 > 漏洞管理 > 仪表板”页面。预设的仪表板会显示最近三个月的补丁星期二漏洞。
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies 并非所有相关漏洞都有补丁:考虑缓解策略 As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 正如我们从其他显著漏洞(如Log4j)中了解到的那样,并非每个高度可被利用的漏洞都能轻松修补。就像ProxyNotShell漏洞的情况一样,制定当不存在修补方案时如何防御您环境的响应计划至关重要。
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture. 定期审查您的修补策略仍应是您计划的一部分,但您还应更全面地审视组织的网络安全方法,并改善整体安全状况。
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action. CrowdStrike Falcon平台每天定期从部署在176个国家的数百万个传感器收集和分析数万亿个端点事件。观看此演示以了解Falcon平台的运行情况。
Learn More 了解更多 Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here. 在此处了解更多关于CrowdStrike Falcon®暴露管理如何帮助您快速轻松地发现并优先处理漏洞及其他类型暴露的信息。
About CVSS Scores 关于CVSS评分 The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article. 通用漏洞评分系统(CVSS)是一个免费开放的行业标准,CrowdStrike和许多其他网络安全组织使用它来评估和传达软件漏洞的严重性和特征。CVSS基础评分范围从0.0到10.0,美国国家漏洞数据库(NVD)会为CVSS评分添加严重性评级。在此文章中了解更多关于漏洞评分的信息。
Additional Resources 其他资源 For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.Learn how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments. Make prioritization painless and efficient. Watch how Falcon Exposure Management enables IT staff to improve visibility with custom filters and team dashboards. Find out how CrowdStrike Falcon® Next-Gen Identity Security products can stop workforce identity threats faster. Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™. 有关哪些产品包含在微软扩展安全更新计划中的更多信息,请参阅此处供应商指南。了解Falcon暴露管理如何帮助您发现和管理环境中的漏洞及其他暴露。使优先级排序轻松高效。观看Falcon暴露管理如何使IT人员通过自定义过滤器和团队仪表板提高可见性。了解CrowdStrike Falcon®下一代身份安全产品如何更快地阻止员工身份威胁。通过CrowdStrike® Falcon Prevent™免费试用亲自测试CrowdStrike下一代防病毒软件。