Be thankful: November’s Patch Tuesday has just one zero-day

This November Patch Tuesday update offers a much reduced set of updates, with only 63 Microsoft patches and (only) one zero-day (CVE-2025-62215) affecting the Windows desktop platform. Microsoft SQL Server has returned with a single update, so the Readiness team suggests a standard patch release schedule for Microsoft Office, Developer tools and Microsoft browsers. (Windows desktops do require a “Patch Now” plan, and while the severity of these security vulnerabilities is less than in October, the testing requirements are still extensive.)

To navigate these changes, the team from Readiness has provided an infographic detailing the risks of deploying the updates to each platform. (More information about recent Patch Tuesday releases is available here.)

Known issues 

Microsoft reported a single known issue, experienced across multiple Windows Server 2022/5 builds and patching methodologies: 

When installing KB5070879 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details in its error reporting. This functionality is temporarily removed to address the Remote Code Execution (RCE) vulnerability, CVE-2025-59287. If left unpatched, this could lead to deserialization of Microsoft patch data and subsequent arbitrary remote code execution. 

Major revisions and mitigations

Microsoft published several documentation and patch related updates after October‘s Patch Tuesday, including:

CVE-2025-25004: PowerShell Elevation of Privilege Vulnerability. Microsoft updated the download links for PowerShell 7.4 and version 7.5. No further action required.

CVE-2025-59287: Windows Server Update Service (WSUS) Remote Code Execution Vulnerability. There have been several updates and an out-of-bound patch to this update. Microsoft also reported known issues with this update (and the associated hot patch). Administrator scrutiny is highly advised.

CVE-2025-55315: ASP.NET Security Feature Bypass Vulnerability. Microsoft has updated the documentation for this update to reflect the increased level of severity. Hey, some justification is required when Microsoft bumped this update from a CVSS3.1 score of 9.9 to the highest possible rating of 10.0.

For those who are not familiar with the CVSS3.1 rating, there is a handy calculator that combines a base score, a temporal factor and the target environment. For those in a hurry, a CVSS3.1 score of 10.0 means “not good.”

Windows lifecycle and enforcement updates

October was a big month for Windows 10; this month, Microsoft has ended servicing for Windows 1123H2 for both Home and Pro versions. This means these versions will no longer receive security or maintenance updates. Don’t worry if you’re using Windows 11 Enterprise, as LTSC support ends Oct. 9, 2029.

Each month, Readiness team analyzes the latest updates and provides detailed, actionable testing guidance based on a large app portfolio and a comprehensive analysis of the Microsoft patches and their potential impact on Windows and app deployments. The November release delivers updates across network infrastructure, remote connectivity, and wireless components, with no high-risk flags but significant breadth requiring testing and validation.

Network and Remote Access

Network stack changes affect every application’s ability to communicate, while dual-stack environments mean both IPv4 and IPv6 paths require validation. Remote Desktop Protocol serves as the primary access method for remote workers and administrators, making connection stability non-negotiable. We suggest testing the following remote connection related areas:

Send and receive packets over both IPv4 and IPv6 protocols;

Transfer large files over IPv6 connections;

Test web browsing, file downloads, and Microsoft Teams/Skype messaging workflows;

Enable Remote Desktop (Settings > System > Remote Desktop) and verify client connections.

These Microsoft driven network updates affect fundamental connectivity from basic packet transmission to complex application workflows. IPv6 support will require dedicated validation alongside IPv4 network operations.

VPN, Bluetooth and Remote Access Services

VPN connectivity testing presents challenges because connection failures manifest as authentication issues, routing problems, or silent packet loss — each requiring different diagnostics. Several Remote Access Service components received updates this month requiring the following tests:

Enable/disable RASMAN logging and establish VPN connections to verify logging file creation.

Launch RRAS management console (local or remote) and perform configuration and viewing operations.

Test both administrative paths since different code handles each scenario.

Microsoft’s RASMAN logging provides critical VPN diagnostics, while RRAS management must work reliably to prevent stranding administrators unable to configure remote access infrastructure. Bluetooth pairings need to be tested, primarily for music. We also recommend a Microsoft Teams audio test.

Security and UI components

Smart card authentication failures create immediate security incidents, yet testing requires physical cards and configured certificate infrastructure. Desktop Window Manager problems manifest as sluggish transitions or unresponsive shortcuts. The Readiness team suggests the following testing:

Smart Cards: Test authentication for both local workstation login and remote sessions;

Desktop UI: Test Live Preview (taskbar hover), Alt+Tab switching, and Win+L system lock and verify that all UI transitions remain responsive.

Organizations should prioritize the testing of these updates based on infrastructure footprint: VPN connectivity if Remote Access Services are first, then IPv6 file transfers for dual-stack environments, and finally, Wi-Fi profile synchronization where Microsoft account ecosystems are used. Desktop Window Manager and Remote Desktop Protocol (RDP) warrant standard validation, given their universal deployment. UWP broadcast applications represent a narrow use case — most organizations can deprioritize unless specialized broadcasting apps are deployed.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

Browsers (Microsoft IE and Edge) 

Microsoft Windows (both desktop and server) 

Microsoft Office

Microsoft Exchange and SQL Server 

Microsoft Developer Tools (Visual Studio and.NET)

Adobe (if you get this far)

Browsers

Microsoft released the following Chromium updates to the Edge browser, all of which have been rated as important:

CVE-2025-12725: Out of bounds write in WebGPU

CVE-2025-12726: Inappropriate implementation in Views

CVE-2025-12727: Inappropriate implementation in V8

CVE-2025-12728 and CVE-2025-12729: Inappropriate implementation in Omnibox 

Add these low-profile updates to your standard browser release schedule.

Windows

Microsoft updated both DirectX and the GDI core Windows components to address two critical patches. The following areas have been updated with the 35 remaining patches (all rated important) for this patch cycle:

Windows SmartCard

Microsoft Hyper-V

Windows Storage and Common Error Logging system

Winsock, wireless networking and streaming services

Due to the zero-day (CVE-2025-62215) in this month’s release affecting the Windows system kernel, our team recommends a “Patch Now” schedule for these.

Microsoft Office

This month, Microsoft addressed a single critical rated vulnerability (CVE-2025-62199) for the Office platform with an additional 15 updates — all of which are rated as important. Add these Office updates to your standard release calendar.

Microsoft Exchange and SQL Server

Microsoft released a single update (CVE-2025-59499) that affects Microsoft SQL Server. Note:  this update can be part of your standard server update schedule, but will require a server restart.

Developer tools

Microsoft released a lone update (CVE-2025-62214) rated as critical and three others rated important for Visual Studio. None of these has been reported as exploited or disclosed, so we recommend adding them to your standard developer release schedule.

Adobe (and third-party updates)

We keep promising to retire this section or replace it with a section detailing Microsoft published third-party updates. That said, there were no Adobe updates and no third-party updates  (excluding Chromium) this month. We’ll give Microsoft (and Adobe) one more chance before we make any changes. C’mon Adobe!