Microsoft has released its monthly security update for November 2025, which includes 63 vulnerabilities affecting a range of products, including 5 that Microsoft marked as “critical.” Current intelligence shows that one of the important vulnerabilities, CVE-2025-62215, has already been detected in the wild. 

Out of five “Critical” entries, three are remote code execution (RCE) vulnerabilities in Microsoft Windows components including GDI+, Microsoft Office, and Visual Studio. One is an elevation of privilege vulnerability affecting the DirectX Graphics Kernel. 

In the following sections we give a concise overview of the critical and important entries that are most relevant for defenders. The full catalogue of all reported issues can be found on Microsoft’s official update page. 

Exploited in the Wild 

One “important” vulnerability was confirmed to have been exploited in the wild. 

CVE-2025-62215 is a Windows Kernel elevation of privilege vulnerability, given a CVSS 3.1 score of 7.8, where a race condition in Windows Kernel allows an authorized attacker to elevate privileges locally. Microsoft assessed that the attack complexity is “low”. 

Critical Vulnerabilities 

Among all the critical vulnerabilities, none of them were labelled as exploitation more likely. Five are considered exploitation less likely. Below we describe each of those five entries. 

CVE-2025-60724 is a RCE vulnerability in GDI+, given a CVSS 3.1 score of 9.8, where a heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network. The vulnerability can be triggered by convincing a victim to download and open a document that contains a specially crafted metafile. In the worst-case scenario, an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile without user interaction. An attacker doesn’t require any privileges on the systems hosting the web services. Successful exploitation of this vulnerability could cause RCE or Information Disclosure on web services that are parsing documents that contain a specially crafted metafile, without the involvement of a victim user. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.   

CVE‑2025‑30398 is a Nuance PowerScribe 360 information disclosure vulnerability, given a CVSS 3.1 score of 8.1, where missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network. An unauthenticated attacker could exploit this vulnerability by making an API call to a specific endpoint. The attacker could then use the data to gain access to sensitive information (including PII data) on the server. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”. 

CVE‑2025‑62199 is a RCE vulnerability in Microsoft Office applications, given a CVSS 3.1 score of 7.8, where a use‑after‑free flaw in Microsoft Office allows an unauthenticated attacker to execute code locally on a vulnerable workstation. To exploit this vulnerability, an attacker must send the user a malicious file and convince them to open it. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.   

CVE‑2025‑60716 is a DirectX Graphics kernel elevation of privilege vulnerability, given a CVSS 3.1 score of 7, where a use‑after‑free flaw in Windows DirectX allows an authorized attacker to elevate privileges locally. Successful exploitation of this vulnerability requires an attacker to win a race condition. Microsoft assessed that the attack complexity is “high”, and that exploitation is “less likely”.   

CVE‑2025‑62214 is a RCE vulnerability in Visual Studio, given a CVSS 3.1 score of 6.7, where AI command injection in Visual Studio allows an authorized attacker to execute code locally. Exploitation is not trivial for this vulnerability as it requires multiple steps: prompt injection, Copilot Agent interaction, and triggering a build. Microsoft assessed that the attack complexity is “high”, and that exploitation is “less likely”.   

Important Vulnerabilities 

Talos would also like to highlight the following “important” vulnerabilities as Microsoft has determined that their exploitation is “more likely”:    

CVE‑2025‑59512 – Customer Experience Improvement Program (CEIP) Elevation of Privilege Vulnerability.  

CVE‑2025‑60705 – Windows CSC Service Elevation of Privilege Vulnerability 

CVE-2025-60719 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability 

CVE-2025-62217 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability 

CVE-2025-62213 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.   

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 65496-65501, 65507-65510. There are also these Snort 3 rules: 301343-301345, 301347, 301348.  

Cisco Talos Blog – ​Read More

Android constantly tightens app restrictions to prevent scammers from using malicious software to steal money, passwords, and users’ private secrets. However, a new vulnerability dubbed Pixnapping bypasses every protective layer and allows an attacker to imperceptibly read image pixels from the screen — essentially taking a screenshot. A malicious app with zero permissions can see passwords, bank account balances, one-time codes, and anything else the owner views on the screen. Fortunately, Pixnapping is currently a purely research-based project and is not yet being actively exploited by threat actors. The hope is that Google will thoroughly patch the vulnerability before the attack code is integrated into real-world malware. As of now, the Pixnapping vulnerability (CVE-2025-48561) likely affects all modern Android smartphones, including those running the latest Android versions.

Why screenshots, media projection and screen reading are dangerous

As demonstrated by the SparkCat OCR stealer we discovered, threat actors have already mastered image processing. If an image on a smartphone contains a valuable piece of information, the malware can detect it, perform optical character recognition directly on the phone, and then exfiltrate the extracted data to the attacker’s server. SparkCat is particularly noteworthy because it managed to infiltrate official app marketplaces including the App Store. It would not be difficult for a malicious Pixnapping-enabled app to replicate this trick, especially given that the attack requires zero special permissions. An app that appears to offer a legitimate, useful feature could simultaneously and silently send one-time multi-factor authentication codes, cryptowallet passwords, and any other information to scammers.

Another popular tactic used by malicious actors is to view the required data as it’s shown, in real-time. For this social engineering approach, the victim is contacted via a messaging app and, under various pretexts, convinced to enable screen sharing.

Anatomy of the Pixnapping attack

The researchers were able to screenshot content from other apps by combining previously known methods of stealing pixels from browsers and from ARM phone graphics processing units (GPUs). The attacking app silently overlays translucent windows atop the target information and then measures how the video system combines the pixels of these layered windows into a final image.

As far back as 2013, researchers described an attack that allowed one website to load another within part of its own window (via an iframe) and, by performing legitimate operations of image layering and transformation, infer exactly what was drawn or written on the other site. While modern browsers have mitigated that specific attack, a group of U.S. researchers have now figured out how to apply the same core principle to Android.

The malicious app first sends a system call to the target app. In Android, this is known as an intent. Intents typically enable not only simple app launching but also things like immediately opening a browser to a specific URL or a messaging app to a specific contact’s chat. The attacking app sends an intent designed to force the target app to draw the sensitive information onto the screen. Special hidden launch flags are used. The attacking app then sends a launch intent to itself. This specific combination of actions allows the victim app to not appear on the screen at all, yet it still renders the information sought by the attacker in its window, in the background.

In the second stage of the attack, the malicious app overlays the hidden window of the victim app with a series of translucent windows, each of which covers and blurs the content beneath it. This complex arrangement remains invisible to the user, but Android dutifully calculates how this combination of windows should look if the user were to bring it to the foreground.

The attacking app can only directly read the pixels from its own translucent windows; the final combined image, which incorporates the victim app’s screen content, is not directly accessible to the attacker. To bypass this restriction, the researchers employ two ingenious tricks. The specific pixel to be stolen is isolated from its surroundings by overlaying the victim app with a mostly opaque window that has a single transparent point precisely over the target pixel. A magnifying layer is then placed on top of this combination, consisting of a window with heavy blurring enabled.

To decipher the resulting mush and determine the value of the pixel at the very bottom, the researchers leveraged another known vulnerability, GPU.zip (this may look like a file link, but it actually leads to a research paper site). This vulnerability is based on the fact that all modern smartphones compress the data of any images being sent from the CPU to the GPU. This compression is lossless (like a ZIP file), but the speed of packing and unpacking changes depending on the information being transmitted. GPU.zip permits an attacker to measure the time it takes to compress the information. By timing these operations, the attacker can infer what data is being transferred. With the help of GPU.zip, the isolated, blurred, and magnified single pixel from the victim app’s window can be successfully read by the attacking app.

Stealing something meaningful requires repeating the entire pixel-stealing process hundreds of times, as it needs to be applied to each point separately. However, this is entirely feasible within a short time frame. In a video demonstration of the attack, a six-digit code from Google Authenticator was successfully extracted in just 22 seconds, while it was still valid.

How Android protects screen confidentiality

Google engineers have nearly two decades of experience combating various privacy attacks, which has resulted in a layered defense built against illegal capture of screenshots and videos. A complete list of these measures would span several pages, so we only list some key protections:

• The FLAG_SECURE window flag prevents the operating system from taking screenshots of content.
• Access to media projection tools (capturing screen content as a media stream) requires explicit user confirmation and can only be performed by an app that is visible and active.
• Tight restrictions are placed on access to administrative services like AccessibilityService and the ability to draw app elements over other apps.
• One-time passwords and other secret data are hidden automatically if media projection is detected.
• Android restricts apps from accessing other apps’ data. Additionally, apps cannot request a full list of all installed apps on the smartphone.

Unfortunately, Pixnapping bypasses all these existing restrictions and requires absolutely no special permissions. The attacking app only needs two fundamental capabilities: to draw within its own windows and to send system calls (intents) to other apps. These are basic building blocks of Android functionality, so they are very difficult to restrict.

Which devices are affected by Pixnapping, and how to defend oneself

The attack’s viability was confirmed on Android versions 13–16 across Google Pixel devices from generations 6–9, as well as Samsung Galaxy S25. The researchers believe the attack will be functional on other Android devices as well, as all the mechanisms used are standard. However, there may be nuances related to the implementation of the second phase of the attack (the pixel magnification technique).

Google released a patch in September after being notified of the attack in February. Unfortunately, the chosen method for fixing the vulnerability proved to be insufficiently reliable, and the researchers quickly devised a way to bypass the patch. A new attempt to eliminate the vulnerability is planned for Google’s December update release. As for GPU.zip, there are no plans to issue a patch for this specific data leakage channel. At least, no smartphone GPU manufacturer has announced plans to that effect since the flaw became public knowledge in 2024.

User capabilities to defend against Pixnapping are limited. We recommend the following measures:

• Promptly update to the latest version of Android with all current security patches.
• Avoid installing apps from unofficial sources, and exercise caution with apps from official stores if they are too new, have low download counts, or are poorly rated.
• Ensure a full-fledged security system is used on your phone, such as Kaspersky for Android.

What other non-standard Android attack methods exist:

• Spyware that pretends to be an antivirus
• Trojan embedded in fake Android smartphones
• Data theft during smartphone charging
• Your pics are at risk: the threat posed by the new SparkKitty Trojan
• How the Necro Trojan attacked 11 million Android users

Kaspersky official blog – ​Read More