Zero-Day Vulnerability in Windows Kernel
CVE-2025-62215 is an Important elevation of privilege vulnerability affecting Windows kernel and has a CVSS score of 7.0. This vulnerability allows authenticated local attackers with low privileges to elevate their privileges to SYSTEM level by exploiting a race condition weakness in Windows kernel through local access to the system.
There is evidence of active exploitation in the wild. Microsoft has attributed the discovery to the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) but has not shared details about how the vulnerability was exploited. The vulnerability affects all supported versions of Windows systems and requires local access, low privileges, and no user interaction to exploit. Microsoft notes attack complexity is high.
When successfully exploited, attackers can gain SYSTEM privileges by winning a race condition, potentially allowing them to completely compromise the confidentiality, integrity, and availability of affected Windows systems. This marks the 11th elevation of privilege vulnerability patched in the Windows kernel in 2025, with five in the October 2025 Patch Tuesday release.
Table 1. Important zero-day vulnerability in Windows kernel| Severity | CVSS Score | CVE | Description |
| Important | 7.0 | CVE-2025-62215 | Windows Kernel Elevation of Privilege Vulnerability |
Critical Vulnerability in Microsoft Graphics Component (GDI+)
CVE-2025-60724 is a Critical remote code execution vulnerability affecting Microsoft Graphics Component (GDI+) and has a CVSS score of 9.8, the highest severity rating this month. It had not been publicly disclosed, and there is no evidence of active exploitation in the wild.
This vulnerability allows unauthenticated remote attackers to execute arbitrary code by exploiting a heap-based buffer overflow weakness in GDI+ over a network connection. An attacker could exploit this vulnerability by convincing a victim to download and open a document containing a specially crafted metafile. In the worst-case scenario, an attacker could exploit this vulnerability on web services by uploading documents containing a specially crafted metafile without user interaction, affecting systems that parse documents with graphics content.
When successfully exploited, attackers can achieve remote code execution or information disclosure on web services by parsing documents with specially crafted metafiles, potentially compromising systems without victim involvement. The vulnerability affects systems utilizing Microsoft Graphics Component for document rendering and graphics processing.
Table 2. Critical vulnerability in Microsoft Graphics Component (GDI+)| Severity | CVSS Score | CVE | Description |
| Critical | 9.8 | CVE-2025-60724 | Microsoft Graphics Component Remote Code Execution Vulnerability |
Critical Vulnerability in Nuance PowerScribe
CVE-2025-30398 is a Critical information disclosure vulnerability affecting Nuance PowerScribe 360 and PowerScribe One and has a CVSS score of 8.1. It has not been publicly disclosed and there is no evidence of active exploitation in the wild.
This vulnerability allows unauthenticated remote attackers to disclose sensitive information by exploiting missing authorization in Nuance PowerScribe over a network connection. It affects multiple versions of Nuance PowerScribe 360 (versions 4.0.1 through 4.0.9) and PowerScribe One (versions 2019.1 through 2019.10, and 2023.1 SP2 Patch 7) and can be exploited remotely with low attack complexity, requiring no privileges but requiring user interaction.
When successfully exploited, attackers can disclose PowerScribe configuration settings by making an API call to a specific endpoint after a user initiates a connection, potentially causing major loss of confidentiality and integrity on affected systems.
Table 3. Critical vulnerability in Nuance PowerScribe| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2025-30398 | Nuance PowerScribe 360 Information Disclosure Vulnerability |
Critical Vulnerability in Microsoft Office
CVE-2025-62199 is a Critical remote code execution vulnerability affecting Microsoft Office and has a CVSS score of 7.8. This vulnerability allows unauthenticated local attackers to execute arbitrary code by exploiting a use after free weakness in Microsoft Office through local access to the system with required user interaction.
The vulnerability has not been publicly disclosed, and there is no evidence of active exploitation in the wild. The vulnerability affects Microsoft 365 Apps for Enterprise (32-bit and 64-bit), Microsoft Office LTSC 2021 and 2024 (32-bit and 64-bit), Microsoft Office 2016 (32-bit and 64-bit), Microsoft Office LTSC for Mac 2021 and 2024, and Microsoft Office for Android. Exploitation requires local access with low attack complexity, requiring no privileges but requiring user interaction.
When successfully exploited, attackers can achieve arbitrary code execution when a user opens a malicious file. The Preview pane is an attack vector for this vulnerability, continuing a pattern observed in similar Office vulnerabilities throughout 2023-2025 (April 2023, July 2023, December 2023, October 2024, January 2025, February 2025, April 2025, June 2025, September 2025).
Table 4. Critical vulnerability in Microsoft Office| Severity | CVSS Score | CVE | Description |
| Critical | 7.8 | CVE-2025-62199 | Microsoft Office Remote Code Execution Vulnerability |
Critical Vulnerability in DirectX Graphics Kernel
CVE-2025-60716 is a Critical elevation of privilege vulnerability affecting DirectX Graphics kernel and has a CVSS score of 7.0. This vulnerability allows authenticated local attackers with low privileges to elevate their privileges to SYSTEM level by exploiting a use after free weakness in Windows DirectX through local access to the system.
The vulnerability has not been publicly disclosed, and there is no evidence of active exploitation in the wild. The vulnerability affects all supported versions of Windows, including Windows 10 (versions 1809, 21H2, and 22H2), Windows 11 (versions 23H2, 24H2, and 25H2), and Windows Server 2019, 2022, and 2025 (including Server Core installations). Exploitation requires local access with high attack complexity, requiring low privileges but no user interaction.
When successfully exploited, attackers can gain SYSTEM privileges by winning a race condition, potentially allowing them to completely compromise the confidentiality, integrity, and availability of affected Windows systems.
Table 5. Critical vulnerability in DirectX Graphics kernel| Severity | CVSS Score | CVE | Description |
| Critical | 7.0 | CVE-2025-60716 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
Critical Vulnerability in Visual Studio
CVE-2025-62214 is a Critical remote code execution vulnerability affecting Microsoft Visual Studio 2022 version 17.14 and has a CVSS score of 6.7. This vulnerability allows authenticated local attackers with high privileges to execute arbitrary code by exploiting a command injection weakness in Visual Studio through local access to the system.
The vulnerability has not been publicly disclosed, and there is no evidence of active exploitation in the wild. The vulnerability requires local access to exploit with high attack complexity, requiring high privileges but no user interaction.
When successfully exploited, attackers can achieve arbitrary code execution through a multi-step process involving prompt injection, Copilot Agent interaction, and triggering a build.
Table 6. Critical vulnerability in Visual Studio 2022| Severity | CVSS Score | CVE | Description |
| Critical | 6.7 | CVE-2025-62214 | Visual Studio Remote Code Execution Vulnerability |
Patch Tuesday Dashboard in the Falcon Platform
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture.
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Learn More
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
About CVSS Scores
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
Additional Resources
![Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/video-ATTCK2-1?wid=530&hei=349&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
![Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/Edward-Gonam-Qatar-Blog2-1?wid=530&hei=349&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
