Overview
- Microsoft’s update addresses 63 vulnerabilities across its products, with five rated critical by the company.
- CVE-2025-62215, a Windows Kernel elevation-of-privilege flaw, is confirmed exploited in the wild and carries a CVSS 7.8 rating with low attack complexity.
- CVE-2025-60724, a critical GDI+ remote code execution bug (CVSS 9.8), can be triggered by crafted metafiles and may be exploitable on web services that parse uploaded documents without user interaction.
- Other critical entries include an Office RCE (CVE-2025-62199) requiring a user to open a malicious file, a high-complexity Visual Studio RCE tied to AI command injection (CVE-2025-62214), a DirectX Graphics Kernel EoP (CVE-2025-60716), and a Nuance PowerScribe 360 information disclosure issue (CVE-2025-30398), all assessed by Microsoft as less likely to be exploited.
- Microsoft flags several important Windows EoP issues as more likely to be exploited—CEIP (CVE-2025-59512), CSC Service (CVE-2025-60705), and multiple WinSock driver flaws (CVE-2025-60719, -62217, -62213)—while Cisco Talos released Snort rules (65496–65501, 65507–65510; Snort 3: 301343–301345, 301347, 301348) to detect exploitation attempts.