Tyler Reguly, Associate Director, Security R&D, Fortra
Microsoft seems to have decided that the past few months have given us all the entertainment that we needed and toned things down a little this month. We do have one CVE that has seen active exploitation (CVE-2025-62215) and 6 CVEs that Microsoft has assigned a severity level of Critical (CVE-2025-60724, CVE-2025-62214, CVE-2025-62199, CVE-2025-60716, CVE-2025-60724, CVE-2025-30398). This set includes the single CVE, CVE-2025-60724, to also earn a critical severity on the CVSS scale with a score of 9.8. That 9.8 is something that will likely get a lot of discussion.
One of the things that makes CVE-2025-60724 interesting is a remark that Microsoft made in the FAQ, “In the worst-case scenario, an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile (AV:N) without user interaction.” This is where I tend to find fault with the way Microsoft handles these vulnerabilities. We have traditional Windows cumulative updates, but a very non-standard attack vector – file upload. There are plenty of unknowns with this one and a lot of questions that we could ask… “Does the technology matter? The backend language processing the metafile? The web server selection?” Microsoft isn’t exactly giving me a lot of confidence that I could mitigate or reduce my risk if patching isn’t immediately possible.
If I’m a CISO, then CVE-2025-60724 has me worried this month. We have a vulnerability that Microsoft and CVSS agree is critical and an attack vector that requires no user interaction and no privileges, just the ability to upload a file. We know nothing about the file type, the technologies that are impacted (other than GDI+ in the title), or the services impacted. Do I need to worry about my SharePoint infrastructure? What about third-party software – my wiki or my bug tracker? This is definitely one that feels a little spooky without a lot of extra details being provided.
While not directly related to today’s patch drop, I wanted to call attention to the additional documentation (via blog post: https://www.microsoft.com/en-us/msrc/blog/2025/10/understanding-cve-2025-55315) that Microsoft published related to CVE-2025-55315. This is fantastic additional context around the vulnerability and the risks involved. This is the type of documentation that we should see for every critical or actively exploited vulnerability that Microsoft patches. If you are a CISO or in communication with a Microsoft TAM, you should reach out and let them know that this is an improvement to their communication and that releasing content like this for more vulnerabilities and in a more timely fashion would be hugely beneficial to the security community.
Like this:
Like Loading...
Related
This entry was posted on November 12, 2025 at 8:47 am and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
November Patch Tuesday Commentary From Fortra
Tyler Reguly, Associate Director, Security R&D, Fortra
Microsoft seems to have decided that the past few months have given us all the entertainment that we needed and toned things down a little this month. We do have one CVE that has seen active exploitation (CVE-2025-62215) and 6 CVEs that Microsoft has assigned a severity level of Critical (CVE-2025-60724, CVE-2025-62214, CVE-2025-62199, CVE-2025-60716, CVE-2025-60724, CVE-2025-30398). This set includes the single CVE, CVE-2025-60724, to also earn a critical severity on the CVSS scale with a score of 9.8. That 9.8 is something that will likely get a lot of discussion.
One of the things that makes CVE-2025-60724 interesting is a remark that Microsoft made in the FAQ, “In the worst-case scenario, an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile (AV:N) without user interaction.” This is where I tend to find fault with the way Microsoft handles these vulnerabilities. We have traditional Windows cumulative updates, but a very non-standard attack vector – file upload. There are plenty of unknowns with this one and a lot of questions that we could ask… “Does the technology matter? The backend language processing the metafile? The web server selection?” Microsoft isn’t exactly giving me a lot of confidence that I could mitigate or reduce my risk if patching isn’t immediately possible.
If I’m a CISO, then CVE-2025-60724 has me worried this month. We have a vulnerability that Microsoft and CVSS agree is critical and an attack vector that requires no user interaction and no privileges, just the ability to upload a file. We know nothing about the file type, the technologies that are impacted (other than GDI+ in the title), or the services impacted. Do I need to worry about my SharePoint infrastructure? What about third-party software – my wiki or my bug tracker? This is definitely one that feels a little spooky without a lot of extra details being provided.
While not directly related to today’s patch drop, I wanted to call attention to the additional documentation (via blog post: https://www.microsoft.com/en-us/msrc/blog/2025/10/understanding-cve-2025-55315) that Microsoft published related to CVE-2025-55315. This is fantastic additional context around the vulnerability and the risks involved. This is the type of documentation that we should see for every critical or actively exploited vulnerability that Microsoft patches. If you are a CISO or in communication with a Microsoft TAM, you should reach out and let them know that this is an improvement to their communication and that releasing content like this for more vulnerabilities and in a more timely fashion would be hugely beneficial to the security community.
Share this:
Like this:
Related
This entry was posted on November 12, 2025 at 8:47 am and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.