{"id":5755,"date":"2025-11-12T03:03:27","date_gmt":"2025-11-12T03:03:27","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5755"},"modified":"2025-11-12T03:03:27","modified_gmt":"2025-11-12T03:03:27","slug":"november-patch-tuesday-zero-day-windows-kernel-flaw-in-servers-controllers-and-pcs","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5755","title":{"rendered":"November Patch Tuesday: Zero day Windows kernel flaw in servers, controllers, and PCs"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A zero day elevation of privilege Windows kernel flaw in servers, controllers, and desktops is being actively exploited and needs to be patched immediately.<\/p>\n

That\u2019s the advice of Satnam Narang<\/a>, senior staff research engineer at Tenable, on one of the two biggest vulnerabilities that needs to be addressed from among the 63 holes identified by Microsoft in today\u2019s November Patch Tuesday releases.<\/p>\n

Separately, SAP today released four HotNews Notes and two HighPriority Notes among its 26 new and updated security patches. One patch deletes the SQL Anywhere Monitor because of hard-coded credentials.<\/p>\n

Also today, Adobe released eight updates, while Mozilla released three.<\/p>\n

Windows kernel flaw<\/h2>\n

The most urgent of the Microsoft holes to be addressed is CVE-2025-62215<\/a> (the Windows kernel vulnerability),\u201d Narang told CSO<\/em> in an email. \u201cWhile there is a substantial prerequisite to exploit the bug, Microsoft confirmed active exploitation is underway. The consequences cannot be ignored, as elevation of privilege vulnerabilities are the keys to opening other doors within the organization. This is how attackers go from initial foothold to full-blown breach.\u201d<\/p>\n

And, Mike Walters<\/a>, president of Action1, points out, this vulnerability impacts servers and domain controllers as much as desktops.<\/p>\n

Chris Goettl<\/a>, vice president of product management at Ivanti, notes that this vulnerability affects all currently supported Windows OS editions plus the Windows 10 machines covered by the ESU (Extended Security Updates) program, \u201cwhich means running Windows 10 past the end-of life (EOL) is not a hypothetical risk.\u201d\u00a0<\/p>\n

Ben McCarthy<\/a>, lead cyber security engineer at Immersive, explained how this hole can be exploited. An attacker with low-privilege local access can run a specially crafted application that repeatedly attempts to trigger a race condition. The goal is to get multiple threads to interact with a shared kernel resource in an unsynchronized way, confusing the kernel\u2019s memory management and causing it to free the same memory block twice. This successful \u201cdouble free\u201d corrupts the kernel heap, allowing the attacker to overwrite memory and hijack the system\u2019s execution flow.<\/p>\n

Microsoft says while the attack complexity to exploit this hole is high \u2014 successful exploitation requires an attacker to win a race condition \u2014 the privileges required are low. And the prize is great: An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.<\/p>\n

Those in the Windows ESU program should note that, according to Nick Carroll<\/a>, cyber incident response manager at Nightwing, some users have been reporting issues enrolling in the Extended Security Update program. Microsoft has recently released an out-of-band update to address issues when users try to enroll in the Windows 10 Consumer Extended Security Update program, he said. Admins planning to participate in the program should make sure to update and install KB5071959<\/a> to address the enrollment issues. After that is installed, users should be able to install other updates such as today\u2019s KB5068781, which is the latest update to Windows 10.<\/p>\n

Flaw in Visual Studio Copilot Extension<\/h2>\n

The second major vulnerability is CVE-2025-62222<\/a>, a remote code execution flaw in Microsoft Visual Studio Code Copilot Chat Extension.\u00a0<\/p>\n

While it is rated as less likely to be exploited, Narang said, it \u201cunderscores a growing interest in finding bugs in generative AI or agentic AI, which encompasses large language models, whether foundational models or open source models, and the AI-assisted code editing tools.\u201d<\/p>\n

Researchers at Cisco Systems said<\/a> exploitation is not trivial for this vulnerability, as it requires multiple steps: prompt injection, Copilot Agent interaction, and triggering a build. Cisco notes that Microsoft assessed that the attack complexity is \u201chigh\u201d, and that exploitation is \u201cless likely\u201d.\u00a0\u00a0<\/p>\n

CSOs should already be addressing emerging AI risks with governance and policy enforcement, added Narang. \u201cIf Shadow AI and unchecked sanctioned AI usage run rampant through their organization, CSOs must modify their strategy to govern this emerging, complex attack surface before it\u2019s too late.\u201d<\/p>\n

Kerberos vulnerability<\/h2>\n

Among the fixes released is one for CVE-2025-60704<\/a>, a Kerboros delegation vulnerability in Active Directory dubbed CheckSum by researchers at Silverfort, who discovered it. If exploited, an attacker could impersonate an authenticated user, escalate privileges and stay hidden.<\/p>\n

Because Kerberos is a way to enable applications to authenticate securely on behalf of users, abuse of it can be dangerous, Silverfort says in an explanation of this vulnerability. Using a man-in-the-middle technique, the flaw allows researchers to impersonate arbitrary users and ultimately gain control over the entire domain.<\/p>\n

\u201cAny organization using Active Directory with the Kerberos delegation capability turned on is impacted,\u201d says Silverfort. \u201cThis means thousands of companies around the world are affected by this vulnerability.\u201d<\/p>\n

Microsoft Graphics Component flaw<\/h2>\n

Tyler Reguly, associate director of R&D at Fortra, was drawn to CVE-2025-60724<\/a>, one of several vulnerabilities rated critical in severity. It\u2019s\u00a0a heap-based buffer overflow in Microsoft Graphics Component that could allow an unauthorized attacker to execute code over a network.<\/p>\n

He notes that Microsoft says, \u201cin the worst-case scenario, an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile without user interaction.\u201d\u00a0 \u00a0<\/p>\n

\u201cIf I\u2019m a CISO, then CVE-2025-60724 has me worried this month,\u201d he told CSO<\/em>. \u201cWe have a vulnerability that Microsoft and CVSS agree is critical and an attack vector that requires no user interaction and no privileges, just the ability to upload a file. We know nothing about the file type, the technologies that are impacted (other than GDI+ in the title), or the services impacted. Do I need to worry about my SharePoint infrastructure? What about third-party software \u2013 my wiki or my bug tracker? This is definitely one that feels a little spooky without a lot of extra details being provided.\u201d<\/p>\n

Cisco explains the vulnerability can be triggered by convincing a victim open a document that contains a specially crafted metafile.\u00a0\u00a0<\/p>\n

\u201cIn the worst-case scenario,\u201d its researchers write, \u201can attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile without user interaction. An attacker doesn\u2019t require any privileges on the systems hosting the web services. Successful exploitation of this vulnerability could cause RCE or information disclosure on web services that are parsing documents that contain a specially crafted metafile, without the involvement of a victim user.\u201d<\/p>\n

SAP patches<\/h2>\n

The patches released by SAP today include some Notes that are updates to previously related fixes. That includes two HotNews patches. But there are new two patches, rated high priority by Onapsis, dealing with SAP Commerce Cloud (with a CVSS score of 7.5) and SAP CommonCryptoLib (also with a score of 7.5).<\/p>\n

One of the notes, #3666261<\/a>, has a CVSS score of 10. It deals with an insecure key and secret management vulnerability in SQL Anywhere Monitor with hard-coded credentials. SQL Anywhere Monitor is a browser-based administration tool that gives admins information about the health and availability of\u00a0SQL Anywhere\u00a0databases, MobiLink servers, and MobiLink server farms. It can also provide information about the availability of web servers, proxy servers, and host computers;<\/p>\n

The patch removes SQL Anywhere Monitor completely, say researchers at Onapsis<\/a>. As a temporary workaround, SAP recommends that admins stop using this tool and delete any instances of SQL Anywhere Monitor database.<\/p>\n

Another note to pay attention to,\u00a0#3668705<\/a> (CVE-2025-42887<\/a>) patches a code injection vulnerability in SAP Solution Manager. Due to missing input sanitization in a remote-enabled function module, authenticated attackers are able to inject malicious code into the system. Rated with a CVSS score of 9.9, this vulnerability is patched by adding an input check that rejects most of the non-alphanumeric characters.<\/p>\n

\u201cCVE-2025-42887 is particularly dangerous because it allows an attacker to inject code from a low-privileged user, which leads to a full SAP compromise and all data contained in the SAP system,\u201d notes \u00a0Joris van de Vis, director of security research at SecurityBridge.\u00a0<\/p>\n

Onapsis CTO Juan Pablo Perez-Etchegoyen also says admins need to deal quickly with Note #3633049<\/a>. \u201cDespite this being a CVSS 7.5,\u201d he said in an email to CSO<\/em>, \u201cit is a memory corruption potentially exploitable remotely pre-authentication, and these types of vulnerability tend to be very critical because of their nature and potential for denial of service and system compromise.\u201d\u00a0<\/p>\n

However, with many of these vulnerabilities, patching alone is not enough: architecture, exposure, segmentation, and monitoring still matter, advises Mike Walters of Action1. \u201cCSOs need to involve not just patching teams, but also service owners (print, scan, document sharing, remote access), network\/security teams (for segmentation and exposure control), and logging\/monitoring teams (for post-patch verification),\u201d he said. \u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A zero day elevation of privilege Windows kernel flaw in servers, controllers, and desktops is being actively exploited and needs to be patched immediately. That\u2019s the advice of Satnam Narang, senior staff research engineer at Tenable, on one of the two biggest vulnerabilities that needs to be addressed from among the 63 holes identified by […]<\/p>\n","protected":false},"author":0,"featured_media":5756,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5755","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5755"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5755"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5755\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5756"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5755"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5755"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5755"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}