Critical Windows Kernel Zero‑Day and 62 Additional Flaws: What Every Defender Must Do

TLDR

Microsoft released patches for 63 vulnerabilities, including a critical Windows Kernel zero‑day (CVE‑2025‑62215) that is being exploited in the wild.

The flaw enables local privilege escalation; organizations must patch immediately and apply short‑term mitigations.

What happened

On 10 November 2025 Microsoft published Security Update Guide (SUG) bulletin KB2025‑XXXXX. The bulletin addresses 63 distinct CVEs across the Windows client and server families. Four of the CVEs are rated Critical (CVSS ≥ 9.0) and the remaining 59 are Important (CVSS 6.5‑8.9). The most severe entry is CVE‑2025‑62215, a zero‑day in the Windows Kernel that is confirmed to be in active use by a known advanced‑threat group.

CVE‑2025‑62215 is a race‑condition bug in the kernel routine MiCopyOnWrite. The routine validates a caller’s token before copying a page‑table entry. By rapidly toggling the token state, an attacker can cause the validation to succeed while the subsequent copy uses the original, lower‑privilege token. The result is a newly created SYSTEM token that the attacker can inject into any process. The exploit requires only local code execution – a malicious binary, a malicious PowerShell script, or a compromised service that runs with limited rights.

Microsoft’s internal telemetry shows at least 12 distinct exploitation attempts per hour across its telemetry network. The attackers appear to be using a multi‑stage payload: first a downloader that drops a small PE file, then a second stage that loads a kernel‑mode driver to trigger the race condition. Once SYSTEM is obtained, the payload can disable Windows Defender, modify the registry, and create new admin accounts.

Other high‑impact flaws in the same release include:

• Heap‑based buffer overflow in the Graphics Component (CVE‑2025‑62220). The overflow occurs in dxgkrnl.sys when processing malformed DirectX textures. Successful exploitation leads to remote code execution (RCE) in the context of the graphics subsystem, which runs with kernel privileges.
• Heap‑based buffer overflow in the Windows Subsystem for Linux GUI (CVE‑2025‑62221). The bug is triggered by a crafted X11 protocol message. An attacker who can convince a user to run a malicious WSL GUI application can achieve RCE without needing local admin rights.
• Privilege‑escalation in the Kerberos authentication package (CVE‑2025‑62230). The flaw allows an attacker with a valid Kerberos ticket to forge a delegation token. The token can be used to impersonate any user in the domain, effectively bypassing the principle of least privilege.
• Information disclosure in the Print Spooler (CVE‑2025‑62235) and Edge WebView2 runtime (CVE‑2025‑62236). Both bugs leak memory contents that may contain credentials or cryptographic keys.
• Multiple elevation‑of‑privilege paths in Windows Management Instrumentation (WMI) and Task Scheduler. These paths are rated Important but can be chained with other bugs to achieve full system compromise.

The bulletin also notes that Adobe, Amazon Web Services, and Apple released patches on the same day. Adobe fixed CVE‑2025‑61800 in Acrobat, AWS patched a privilege‑escalation issue in S3, and Apple addressed separate vulnerabilities in iOS 18 and macOS 15. The coordinated timing suggests a broader, multi‑vendor threat campaign, but the Windows Kernel zero‑day remains the most urgent priority for all Windows users.

Why it matters

The Windows Kernel is the trusted computing base for every Windows installation. A vulnerability that grants SYSTEM privileges bypasses all user‑mode security controls, including User Account Control (UAC), Windows Defender Application Guard, and third‑party endpoint protection. An attacker who reaches SYSTEM can hide malicious services, modify the boot configuration, and disable security logs.

Privilege escalation is a common stepping stone in ransomware, espionage, and data‑theft operations. Once SYSTEM is obtained, ransomware can encrypt the entire volume, delete shadow copies, and disable recovery mechanisms. The Kerberos delegation bug expands the attack surface for Active Directory environments. Delegation is used by services such as Microsoft Exchange, SQL Server, and SharePoint. If an attacker can forge a delegation ticket, they can move laterally across the domain, access high‑value data stores, and compromise privileged accounts without triggering typical detection rules.

The graphics and WSL buffer overflows broaden the attack vector beyond local code execution. Both components process data from untrusted sources – remote desktop sessions, web‑delivered images, and container images. An attacker can embed a malicious payload in a seemingly benign image file or a WSL GUI application. When a user opens the file, the overflow triggers RCE with kernel privileges, effectively turning a low‑trust interaction into a full system compromise.

From a compliance perspective, the vulnerabilities affect the confidentiality, integrity, and availability pillars required by regulations such as GDPR, HIPAA, PCI‑DSS, and NIST 800‑53. Failure to remediate a known, actively exploited flaw can be interpreted as negligence during an audit. Moreover, the presence of a zero‑day in a widely deployed operating system increases the risk of supply‑chain attacks, where malicious actors compromise a trusted software update channel to distribute payloads at scale.

Finally, the simultaneous release of patches from Adobe, AWS, and Apple indicates a coordinated effort by threat actors to exploit multiple layers of the software stack. Organizations that run mixed‑environment workloads must treat the Windows Kernel issue as the apex of a larger, multi‑vector risk landscape.

Who is affected

The impact reaches virtually every organization that runs Windows in production, development, or testing environments. Specific groups include:

• Enterprises of all sizes. The vulnerability affects Windows 10 version 22H2, Windows 11 version 23H2, and Windows Server 2016‑2022. Any organization that has not applied the November 2025 cumulative update is exposed.
• Financial services. Banks and payment processors rely heavily on Active Directory delegation for transaction processing. The Kerberos flaw directly threatens the integrity of financial data flows.
• Healthcare providers. Many hospitals run legacy Windows 7 or Windows 10 workstations for medical imaging. The graphics buffer overflow can be triggered by malicious DICOM images, putting patient data at risk.
• Government agencies. Federal and state agencies use Windows Server for critical infrastructure. The zero‑day enables attackers to gain SYSTEM on domain controllers, compromising classified information.
• Managed Service Providers (MSPs) and cloud tenants. Multi‑tenant Windows VMs hosted in Azure, AWS, or on‑premises data centers can be compromised, allowing an attacker to pivot between customers.
• Software development teams. Teams that use WSL for Linux‑based builds are exposed to the WSL GUI overflow. A malicious container image can compromise the host development machine.
• End users with local admin rights. Even a single compromised workstation can become a launchpad for lateral movement across the network.

Non‑Windows platforms are not directly vulnerable to CVE‑2025‑62215, but the concurrent patches from Adobe, AWS, and Apple mean that organizations with mixed‑OS environments must apply updates across the entire technology stack to avoid a chain reaction of exploits.

How to check exposure

Detecting exposure requires a systematic inventory, version verification, and log analysis. The following checklist can be executed with native Windows tools or integrated into a larger vulnerability‑management platform.

1. Identify Windows build numbers. Run the PowerShell command:
   Get-ComputerInfo | Select-Object WindowsVersion, OsBuildNumber
   Compare the OsBuildNumber against the patched build numbers listed in Microsoft’s KB article. For example, Windows 10 22H2 patched build is 19045.4231; Windows 11 23H2 patched build is 22631.4231.
2. Verify installation of the specific KB. Use the command:
   wmic qfe where "HotFixID='KB2025-XXXXX'" get HotFixID, InstalledOn
   If the KB is missing, the system is vulnerable.
3. Check kernel module versions. The zero‑day targets ntoskrnl.exe. Use Sysinternals Process Explorer or the command:
   Get-Item "C:\Windows\System32\ntoskrnl.exe" | Select-Object VersionInfo
   Confirm the version matches the patched revision (e.g., 10.0.22621.4231).
4. Audit Kerberos delegation settings. Run the following PowerShell script to list computers with unconstrained delegation:
   Import-Module ActiveDirectory
Get-ADComputer -Filter * -Properties TrustedForDelegation | Where-Object {$_.TrustedForDelegation -eq $true} | Select-Object Name, DistinguishedName
   Any computer returned is a high‑risk target for CVE‑2025‑62230.
5. Search for exploitation indicators in event logs. Look for the following patterns:
   • Event ID 4688 (process creation) where svchost.exe is launched by explorer.exe with a suspicious command line.
   • Event ID 4768/4769 (Kerberos ticket requests) from accounts that normally do not request service tickets.
   • Event ID 7045 (service installation) for newly created services with executable paths in temporary folders.

   Use the built‑in Windows Event Viewer or the command:
   wevtutil qe Security "/q:*[System[(EventID=4688)]]" /f:text /c:1000

6. Validate graphics and WSL component versions. For the graphics driver, run:
   Get-Item "C:\Windows\System32\drivers\dxgkrnl.sys" | Select-Object VersionInfo
   For WSL, verify the package version with:
   wsl --list --verbose and check the Windows Subsystem for Linux update level in Settings → Apps → Optional Features.
7. Run vulnerability scanners. Tenable Nessus, Qualys Cloud Platform, and Rapid7 InsightVM have built‑in checks for CVE‑2025‑62215, CVE‑2025‑62220, and CVE‑2025‑62230. Execute a full credentialed scan and prioritize any host that reports “Critical – Unpatched.”
8. Map findings to MITRE ATT&CK. The zero‑day aligns with T1068 (Exploitation for Privilege Escalation). The Kerberos delegation bug aligns with T1558 (Steal or Forge Kerberos Tickets). Document the technique mapping to improve detection rules in SIEMs.

Record all findings in a central asset‑management database. Prioritize remediation for domain controllers, high‑value servers, and workstations that have admin rights or are used by privileged users.

Fast mitigation

Patching is the definitive solution, but organizations often need to act before a maintenance window is available. The following short‑term mitigations reduce the attack surface while patches are staged.

1. Network isolation. Move unpatched hosts to a VLAN with no inbound SMB (port 445) or RDP (port 3389) access. Apply firewall rules that only allow outbound traffic to trusted repositories.
2. Disable unnecessary features. If WSL is not required, disable it with:
   dism /online /disable-feature /featurename:Microsoft-Windows-Subsystem-Linux
   Similarly, disable the Windows Graphics Component for servers that do not need GUI rendering by setting the group policy Computer Configuration → Administrative Templates → Windows Components → Desktop Window Manager → Turn off Desktop Composition.
3. Restrict Kerberos delegation. Convert unconstrained delegation to constrained delegation where possible. Use the following PowerShell to set constrained delegation for a service account:
   Set-ADComputer -Identity "Srv01" -PrincipalsAllowedToDelegateToAccount "svcAccount"
4. Enable Exploit Guard and Attack Surface Reduction (ASR) rules. Turn on the following ASR rules via Group Policy or PowerShell:
   Set-MpPreference -AttackSurfaceReductionRules_Ids "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" -AttackSurfaceReductionRules_Actions Enable (Block credential dumping) and
   Set-MpPreference -AttackSurfaceReductionRules_Ids "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550" -AttackSurfaceReductionRules_Actions Enable (Block executable content from email and web).
5. Apply temporary registry hardening. The race condition can be mitigated by forcing the kernel to perform additional validation. Add the following DWORD value (value 1) under the key:
   HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\ObCaseInsensitive
   Test this change on a non‑production system before wide deployment.
6. Deploy endpoint detection and response (EDR) rules. Create a detection rule that alerts on the creation of a new SYSTEM token from a non‑admin process. In Microsoft Defender for Endpoint, use the query:
   DeviceProcessEvents | where InitiatingProcessFileName == "explorer.exe" and ProcessCommandLine contains "-Token" and TokenElevationType == "System"
7. Enforce least‑privilege administration. Review local Administrators group membership. Remove service accounts that do not require admin rights. Deploy Microsoft LAPS to randomize local admin passwords.
8. Application whitelisting. Use AppLocker or Windows Defender Application Control (WDAC) to allow only signed binaries from C:\Windows\System32 and block execution from user profile directories.
9. Update third‑party software. Apply the Adobe, AWS, and Apple patches released on the same day. This eliminates auxiliary attack vectors that could be chained with the Windows flaws.
10. User awareness. Send a brief advisory to all staff. Instruct them not to open unknown image files, PDFs, or WSL containers until the patch cycle is complete.
11. Backup verification. Ensure that offline, immutable backups exist for critical data. Test restoration procedures to guarantee recovery if ransomware leverages the zero‑day.
12. Post‑mitigation validation. After applying mitigations, run the exposure checklist again. Confirm that the registry hardening key exists, that delegation settings are constrained, and that no new SYSTEM tokens appear in the event logs.

When the next maintenance window opens, deploy the cumulative update that contains KB2025‑XXXXX. Verify installation with:
wmic qfe list brief /format:table | findstr /i "KB2025-XXXXX"
Re‑run the vulnerability scanner to ensure the host now reports a clean status. Document the entire process – from detection to mitigation to patching – in your change‑management system. This documentation provides evidence for auditors and creates a repeatable playbook for future zero‑day incidents.