November Patch Tuesday is the first Patch Tuesday after the EoL of Windows 10. In the shadow of Windows 10, there are a number of other product EoLs of note. Exchange Server, for one, is getting some additional attention. Microsoft announced a 6-month ESU option for Exchange 2016/2019 servers for customers who need the extension. Their guidance, however, is not to rely on this program and to make every attempt to move off of Exchange and move to Exchange SE in time. Cybersecurity agencies across the globe have also collaborated to provide a Security Best Practices guide for Microsoft Exchange Server.

Microsoft resolved 63 unique vulnerabilities this month, including one known exploited CVE (CVE-2025-62215). The exploited CVE is an Elevation of Privilege vulnerability in the Windows Kernel that can allow an attacker to gain SYSTEM-level privileges on the target system. Affected products this month include Windows OS, Office, SharePoint, SQL Server, Visual Studio, GitHub Copilot and Azure Monitor Agent.  

For third-party updates, Oracle released their quarterly Critical Patch Update on October 21, 2025. This included many updates including Java. With the release of Java comes a stream of Java framework updates, including RedHat OpenJDK, Amazon Corretto, Azul Zulu, Eclipse Adoptium, Adopt OpenJDK and others.  

Patch Tuesday third-party updates include eight from Adobe and three from Mozilla, and Google Chrome released a stability and performance update this month (no CVEs reported).  

Microsoft’s exploited vulnerability 

Microsoft has resolved an Elevation of Privilege vulnerability (CVE-2025-62215), which Microsoft has confirmed is exploited in the wild. The CVE is rated Important and has a CVSS 3.1 score of 7.0. The vulnerability requires an attacker to win a race condition, but if exploited it would allow the attacker to gain SYSTEM privileges on the affected system. The vulnerability affects all currently supported Windows OS editions and Windows 10 ESU, which means the risk of running Windows 10 past the EoL without ESU is not hypothetical. Ensure you are subscribing to Windows 10 ESU and providing additional mitigations where possible.  

Ivanti security advisories 

Ivanti has released one Security Advisory for November Patch Tuesday, resolving three CVEs. The security advisory for Ivanti Endpoint Manager provides details on vulnerable versions. Also, the advisory reminds Ivanti Endpoint Manager customers that version 2022 reached End of Life at the end of October 2025. All Ivanti EPM customers are urged to upgrade to 2024 SU4 to remediate the three vulnerabilities.    

For more details, you can view the updates and information provided in the November Security Update on the Ivanti blog. 

Third-party vulnerabilities 

  • Adobe released eight updates resolving 28 CVEs. All eight updates are rated priority three.  
  • Mozilla released three updates resolving a total of 29 CVEs.  
  • Google Chrome just released a stability and performance update, but it has resolved 27 CVEs since October Patch Tuesday. 

November update priorities 

  • The Windows OS is the highest priority this month, with one zero-day exploit.  
  • Continue to monitor your environment for EoL software. Beyond Windows 10 EoL, there are editions of Office that are now EoL along with Exchange. The first month after the Windows 10 EoL has a zero-day that affects the Windows 10 OS. The risks of continuing to run EoL software without extended support are very real, and threat actors will be looking to take advantage.