Microsoft today released its new Patch Tuesday update, fixing no less than 63 vulnerabilities in its software products. This update is of particular note, as it includes the first zero-day under active attack, affecting the Windows Kernel. Of those vulnerabilities that were addressed, the majority include vulnerabilities for privilege escalation and remote code execution. These problems represent significant security threats to users.
The update fixes 29 critical vulnerabilities—some of which provide for remote and local privilege escalation. Additionally, it aims to address 16 issues with remote code execution, 11 on information disclosure, and three associated with denial-of-service (DoS) failures. Beyond that, it fixes two security vulnerabilities related to feature security bypass and two others related to spoofing bugs. The severity of these vulnerabilities ranges in severity from four Critical-rated vulnerabilities to 59 Important-rated vulnerabilities.
Details on Key Vulnerabilities
One of the most severe vulnerabilities patched CVE-2025-62215. This highly exploited zero-day vulnerability is rated critical and has a CVSS score of 7.0. It is rated as a Kerberos constrained delegation (aka delegation) vulnerability within the Microsoft Windows Kernel. The finding of this vulnerability was a wonderful collaborative effort between Silverfort researchers Eliran Partush and Dor Segal.
Microsoft characterized the bug as a race condition that enables an authorized, local attacker to elevate privileges. The company states, “Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Kernel allows an authorized attacker to elevate privileges locally.”
CVE-2025-60724, a second major flaw. This heap-based buffer overflow in Microsoft’s Graphics Component carries an alarming CVSS score of 9.8. CVE-2025-62220 is the second heap-based buffer overflow vulnerability discovered, located within Windows Subsystem for Linux GUI. It has a CVSS score of 8.8 underscoring its criticality. Both vulnerabilities require urgent action as they have a critical CVSS score.
Implications for Organizations
The latest update comes with dire implications for organizations, especially those utilizing Active Directory with the Kerberos delegation capability enabled. Silverfort highlights that “any organization using Active Directory, with the Kerberos delegation capability turned on, is impacted.” This shortcoming, combined with the complexity of enterprise environments, underscores the importance of this update in preventing these environments from being easily exploited.
Cybersecurity professionals warn about the importance of moving quickly to address vulnerabilities. Mike Walters, president and co-founder of Action1, explains that chaining vulnerabilities together poses high risks. He stated, “When chained with other bugs this kernel race is critical: an RCE or sandbox escape can supply the local code execution needed to turn a remote attack into a SYSTEM takeover.”
In addition, security professionals urge that attackers using these vulnerabilities still need to use targeted techniques to get into an account. Microsoft notes that “the attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications.”
Recommendations for Users
Microsoft recommends all users prioritize installing the patches. We believe this action will strengthen the nation’s cybersecurity and reduce risks from these vulnerabilities. We strongly urge all organizations to evaluate their systems for any impacted parts and implement required mitigations as quickly as possible.
Ben McCarthy, lead cybersecurity engineer at Immersive, outlines that an attacker with low-privilege local access can exploit these vulnerabilities by running specially crafted applications that trigger race conditions. At the same time, he warns, organizations need to stay constantly vigilant. They need to go above and beyond to deploy strong security measures that preclude any unintentional exploitation.