November 2025 revealed a series of critical cybersecurity vulnerabilities affecting enterprise systems, cloud frameworks, and productivity applications. From remote code execution (RCE) in React Server Components to privilege escalation flaws in the Windows Kernel and Microsoft DirectX, these vulnerabilities highlight ongoing risks to both endpoints and core infrastructure. Organisations using Microsoft Office, SharePoint, and Windows environments must prioritise patch management and review access controls to prevent exploitation. Timely mitigation of these weaknesses is crucial to maintaining enterprise security and safeguarding sensitive data against increasingly sophisticated threat actors.
What We'll Cover
CVE-2025-55182 : React Server Components Remote Code Execution (React2Shell)
Severity and Score: Critical (CVSS v3.1: 10.0)
Type: Remote Code Execution via Unsafe Deserialization (CWE-502)
Disclosure: Identified in late November 2025, publicly disclosed on December 3, 2025
Exploitation Status: Actively exploited in the wild by advanced threat groups
This is a critical unauthenticated remote code execution flaw affecting applications that use specific features of React Server Components. The issue stems from how React Server Components decode and deserialize untrusted payloads sent to server function endpoints. When an attacker submits a crafted payload to a path such as api rsc function, the application attempts to process the data and ends up executing the malicious chain with elevated privileges on the Node.js server. Successful exploitation results in full server compromise and data exposure.
Mitigation Strategies:
- Upgrade the relevant React framework packages to the patched versions released after disclosure.
- Configure strict Web Application Firewall rules to identify and block malformed payloads directed at server component endpoints.
- Review all server-side deserialization processes to ensure only trusted and validated data is accepted.
CVE-2025-62215 : Windows Kernel Zero Day Elevation of Privilege
Severity and Score: High (CVSS v3.1: 7.0)
Type: Elevation of Privilege via Race Condition (CWE-362)
Disclosure: November 11, 2025
Exploitation Status: Actively exploited in the wild and confirmed in CISA KEV on November 11, 2025
This zero day impacts the Windows Kernel through a race condition that appears when multiple processes attempt to access shared memory without proper synchronisation. An attacker with basic local user access uses a malicious binary to repeatedly trigger the race. When the timing succeeds, the kernel object gets corrupted, allowing execution with SYSTEM rights. This is a common step in post compromise escalation.
Mitigation Strategies:
- Apply the Windows Kernel security updates released on November 11, 2025 without delay.
- Deploy application control or whitelisting tools such as Windows Defender Application Control to prevent unauthorised binaries from running.
- Follow strict least privilege policies to reduce the impact radius.
CVE-2025-60724 : Microsoft GDI Plus Remote Code Execution
Severity and Score: Critical (CVSS v3.1: 9.8)
Type: Remote Code Execution via Heap based Buffer Overflow (CWE-122)
Disclosure: November 11, 2025
Exploitation Status: Exploitation possible with a high likelihood and proof of concept expected
This flaw targets the Microsoft GDI Plus graphics component used across Windows applications such as Office and various browsers. The vulnerability arises when GDI Plus processes crafted images or metafiles that exceed the allocated heap buffer size. The buffer overflow allows an attacker to overwrite adjacent memory and redirect program execution. The user only needs to view or open the malicious file for the attack to succeed.
Mitigation Strategies:
- Install the GDI Plus security patches from the November 2025 release.
- Configure email and endpoint security controls to block unverified image based files or embedded graphics.
- Disable automatic image loading within applications where feasible to reduce exposure.
CVE-2025-62199 : Microsoft Office Remote Code Execution
Severity and Score: Critical (CVSS v3.1: 7.8)
Type: Remote Code Execution via Use After Free vulnerability (CWE-416)
Disclosure: November 11, 2025
Exploitation Status: Exploitation possible and common in Office file based attacks
This vulnerability affects multiple Microsoft Office applications. It is caused by a Use After Free error where an application releases memory but continues to reference it. A malicious document triggers this flaw and enables the attacker to replace the freed memory with controlled data. This leads to arbitrary code execution with the user’s privileges.
Mitigation Strategies:
- Apply the Microsoft Office updates released on November 11, 2025.
- Enable Microsoft Defender Attack Surface Reduction rules to reduce document based threats.
- Use strong macro governance policies and block macros from untrusted sources.
CVE-2025-60716 : DirectX Graphics Kernel Elevation of Privilege
Severity and Score: Critical (CVSS v3.1: 7.0)
Type: Elevation of Privilege via Use After Free vulnerability (CWE-416)
Disclosure: November 11, 2025
Exploitation Status: Exploitation possible and commonly used in chained attack paths
This flaw affects the DirectX Graphics Kernel subsystem. A standard user can trigger specific operations that create a Use After Free condition in the graphics kernel driver. Attackers manipulate kernel memory through this flaw and overwrite the security token of their process to gain SYSTEM privileges. This method is frequently used to escalate from user level access to complete host control.
Mitigation Strategies:
- Install the DirectX Graphics Kernel updates released in November 2025.
- Ensure all system components and drivers that interact with the kernel remain updated.
- Monitor security logs for unusual attempts to load, alter, or interact with kernel drivers.
CVE-2025-62204 : Microsoft SharePoint Remote Code Execution
Severity and Score: Important (CVSS v3.1: 8.0)
Type: Remote Code Execution via Input Validation Error (CWE-20)
Disclosure: November 11, 2025
Exploitation Status: Exploitation possible and requires authentication
This vulnerability affects Microsoft SharePoint Server due to insufficient input validation within a backend service endpoint. An authenticated low privilege SharePoint user can submit crafted input containing executable content. The backend service processes this unsafe input and executes the payload on the SharePoint server. This provides access to sensitive stored data and internal systems.
Mitigation Strategies:
- Apply the cumulative SharePoint security updates released in November 2025.
- Ensure that user permissions strictly match their functional roles.
- Use network access controls and specialised monitoring tools to track abnormal SharePoint traffic or payload patterns.
The November 2025 vulnerabilities underscore the importance of proactive cybersecurity measures, including rapid patch deployment, endpoint monitoring, and strict enforcement of least privilege policies. Addressing risks in Microsoft Office, Windows, SharePoint, and modern web frameworks ensures organisations reduce exposure to remote code execution, elevation of privilege, and other targeted attacks. Maintaining updated systems, reviewing attack surfaces, and implementing robust access controls are essential for sustained enterprise resilience. Security teams that adopt these practices will strengthen defences and minimise the impact of emerging threats.
Learn how our cybersecurity expertise helps you stay ahead of emerging threats and protect your most critical assets.
