Microsoft’s November 2025 Patch Tuesday Updates Fix 63 Windows Flaws

Microsoft’s November 2025 Patch Tuesday delivers major security fixes and new Windows 11 experience updates.

Windows update hero image

Key Takeaways:

  • Microsoft’s November 2025 Patch Tuesday addresses 63 vulnerabilities.
  • The update introduces a redesigned Start Menu, taskbar and battery improvements, and new Copilot+ features for versions 25H2 and 24H2.
  • A new Administrator Protection preview enhances system security.

Microsoft has started rolling out the November 2025 Patch Tuesday updates for Windows 11. This month, Microsoft has fixed 63 vulnerabilities in Windows, Office, Microsoft Edge, Azure Monitor Agent, Dynamics 365, Hyper-V, SQL Server, and other components.

On the quality and experience updates front, Microsoft has rolled out a redesigned Start Menu and a couple of other new capabilities to Windows 11 versions 25H2 and 24H2. The latest update also brings Click to Do improvements and other changes for users with Copilot+ devices.

63 vulnerabilities fixed in the November 2025 Patch Tuesday updates

Among the 63 Windows vulnerabilities Microsoft fixed this month, four are rated “Critical” and 59 are rated “Important” in severity. One of those vulnerabilities is already being exploited in the wild, and you can find more details about all of them below:

CVE-2025-62215: This is a Windows Kernel privilege escalation vulnerability that could allow hackers to gain admin-level rights on Windows devices. This flaw requires the attackers to win a race condition to gain system privileges.

CVE-2025-60724: This is a critical heap-based buffer overflow vulnerability in the Microsoft Graphics Component (GDI+) that allows remote code execution without authentication. This flaw carries a CVSS score of 9.8 and doesn’t require any user interaction or privileges.

CVE-2025-60704: This is a high-severity vulnerability in Windows Kerberos with a CVSS score of 7.5. It affects all organizations using Active Directory, with the Kerberos delegation capability enabled.

CVE-2025-62220: This is a heap-based buffer overflow vulnerability in the Windows Subsystem for Linux GUI (WSLg) with a CVSS score of 8.8. This flaw could allow an attacker to execute arbitrary code remotely through crafted inputs.

CVE-2025-60719: This vulnerability is an untrusted pointer dereference in the Windows Ancillary Function Driver for WinSock (afd.sys). It could enable a local attacker with low privileges to escalate to SYSTEM.

CVE-2025-62213: This is a use-after-free flaw in afd.sys (WinSock driver) that could allow an authenticated local attacker to gain elevated privileges. This flaw carries a CVSS score of 7.0 (High).

CVE-2025-62217: This race condition vulnerability in afd.sys occurs due to improper synchronization of shared resources.

You can find the full list of CVEs released by Microsoft with the November 2025 Patch Tuesday updates below:

TagCVEBase ScoreCVSS VectorExploitabilityFAQs?Workarounds?Mitigations?
Nuance PowerScribeCVE-2025-303988.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Microsoft Configuration ManagerCVE-2025-471796.7CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Microsoft Office ExcelCVE-2025-592405.5CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
SQL ServerCVE-2025-594998.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Azure Monitor AgentCVE-2025-595047.3CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:CExploitation UnlikelyYesNoNo
Windows Smart CardCVE-2025-595057.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Windows DirectXCVE-2025-595067CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation UnlikelyYesNoNo
Windows SpeechCVE-2025-595077CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation UnlikelyYesNoNo
Windows SpeechCVE-2025-595087CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation UnlikelyYesNoNo
Windows SpeechCVE-2025-595095.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CExploitation UnlikelyYesNoNo
Windows Routing and Remote Access Service (RRAS)CVE-2025-595105.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CExploitation Less LikelyNoNoNo
Windows WLAN ServiceCVE-2025-595117.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Customer Experience Improvement Program (CEIP)CVE-2025-595127.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation More LikelyYesNoNo
Windows Bluetooth RFCOM Protocol DriverCVE-2025-595135.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Microsoft Streaming ServiceCVE-2025-595147.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation UnlikelyYesNoNo
Windows Broadcast DVR User ServiceCVE-2025-595157CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Windows Remote DesktopCVE-2025-607037.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation UnlikelyYesNoNo
Windows KerberosCVE-2025-607047.5CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Windows Client-Side Caching (CSC) ServiceCVE-2025-607057.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation More LikelyYesNoNo
Role: Windows Hyper-VCVE-2025-607065.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Multimedia Class Scheduler Service (MMCSS)CVE-2025-607077.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Storvsp.sys DriverCVE-2025-607086.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Windows Common Log File System DriverCVE-2025-607097.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Host Process for Windows TasksCVE-2025-607107.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Windows Routing and Remote Access Service (RRAS)CVE-2025-607137.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation UnlikelyYesNoNo
Windows OLECVE-2025-607147.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Windows Routing and Remote Access Service (RRAS)CVE-2025-607158CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation UnlikelyYesNoNo
Windows DirectXCVE-2025-607167CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Windows Broadcast DVR User ServiceCVE-2025-607177CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Windows Administrator ProtectionCVE-2025-607187.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Windows Ancillary Function Driver for WinSockCVE-2025-607197CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation More LikelyYesNoNo
Windows TDX.sysCVE-2025-607207.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation UnlikelyYesNoNo
Windows Administrator ProtectionCVE-2025-607217.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:T/RC:CExploitation Less LikelyYesNoNo
OneDrive for AndroidCVE-2025-607226.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:CExploitation UnlikelyYesNoNo
Windows DirectXCVE-2025-607236.3CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Microsoft Graphics ComponentCVE-2025-607249.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Microsoft Office ExcelCVE-2025-607267.1CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Microsoft Office ExcelCVE-2025-607277.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Microsoft Office ExcelCVE-2025-607284.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Microsoft OfficeCVE-2025-621997.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Microsoft Office ExcelCVE-2025-622007.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Microsoft Office ExcelCVE-2025-622017.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Microsoft Office ExcelCVE-2025-622027.1CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Microsoft Office ExcelCVE-2025-622037.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation UnlikelyYesNoNo
Microsoft Office SharePointCVE-2025-622048CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Microsoft Office WordCVE-2025-622057.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Microsoft Dynamics 365 (on-premises)CVE-2025-622066.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Windows License ManagerCVE-2025-622085.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Windows License ManagerCVE-2025-622095.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Dynamics 365 Field Service (online)CVE-2025-622108.7CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:CExploitation UnlikelyYesNoNo
Dynamics 365 Field Service (online)CVE-2025-622118.7CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:CExploitation UnlikelyYesNoNo
Windows Ancillary Function Driver for WinSockCVE-2025-622137CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation More LikelyYesNoNo
Visual StudioCVE-2025-622146.7CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Windows KernelCVE-2025-622157CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:CExploitation DetectedYesNoNo
Microsoft OfficeCVE-2025-622167.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation UnlikelyYesNoNo
Windows Ancillary Function Driver for WinSockCVE-2025-622177CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation More LikelyYesNoNo
Microsoft Wireless Provisioning SystemCVE-2025-622187CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Microsoft Wireless Provisioning SystemCVE-2025-622197CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation UnlikelyYesNoNo
Windows Subsystem for Linux GUICVE-2025-622208.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation UnlikelyYesNoNo
Visual Studio Code CoPilot Chat ExtensionCVE-2025-622228.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Visual Studio Code CoPilot Chat ExtensionCVE-2025-624496.8CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
Windows Routing and Remote Access Service (RRAS)CVE-2025-624528CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo
GitHub Copilot and Visual Studio CodeCVE-2025-624535CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:CExploitation Less LikelyYesNoNo

Quality and experience updates

On Windows 11 versions 25H2 and 24H2, the KB5068861 patch brings improvements to Click to Do, File Explorer, Voice Access, and Windows Search for Copilot+ PCs. The Windows 11 Taskbar is also getting several enhancements this month. The battery icon now features different colors that indicate whether the battery is in battery saver mode, in charging, in good health, or is critically low.

Additionally, Microsoft has also updated the Windows 11 Start Menu this month. The new Start menu features a scrollable All section with category and grid views, a responsive layout for any screen size, and Phone Link integration via a collapsible side panel accessed through a mobile button next to the search box.

Microsoft has rolled out the Administrator Protection feature in preview for Windows 11 devices. It uses User Account Control (UAC) and security policies to prevent unauthorized changes by requiring admin approval for system-level actions. It can be enabled in Windows Security or via Microsoft Intune or Group Policy.

Microsoft has released KB5068781, the first Windows 10 Extended Security Update after end-of-support, which fixes an incorrect “end of support” message and includes November Patch Tuesday security fixes for 63 vulnerabilities, including one actively exploited flaw. This update is available only to devices enrolled in the Windows 10 Extended Security Updates (ESU) program.

Windows Update testing and best practices

Organizations looking to deploy this month’s patches should conduct thorough testing before deploying them widely on production systems. That said, applying the patches widely shouldn’t be delayed longer than necessary, as hackers start to work out how to weaponize newly reported vulnerabilities.

A best practice is to make sure you have backed up systems before applying updates. Every month, users experience issues with Windows updates that lead to systems not booting, application and hardware compatibility issues, or even data loss in extreme cases.

There are backup tools built into Windows and Windows Server that you can use to restore systems in the event a patch causes a problem. The backup features in Windows can be used to restore an entire system or files and folders on a granular basis.

Rabia Noureen profile picture
Rabia Noureen News Editor

Follow

Rabia has a master's degree in Software Engineering and she has years of experience writing professionally about Microsoft products and other technologies. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on t...

SHARE ARTICLE

Related Articles

See all