The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical zero-day vulnerability in the Microsoft Windows Kernel to its Known Exploited Vulnerabilities (KEV) catalog, highlighting active exploitation in the wild.
Tracked as CVE-2025-62215, this race condition allows local attackers with low privileges to escalate to SYSTEM-level access, posing a severe risk to Windows systems worldwide.
Added on November 12, 2025, with a patching due date of December 3, 2025, the vulnerability underscores the urgency for organizations to prioritize updates amid rising threat activity.
Understanding The Vulnerability
CVE-2025-62215 stems from improper synchronization in the Windows Kernel when multiple threads concurrently access shared resources, creating a race condition that leads to memory corruption.
An authenticated local attacker can exploit this by running a specially crafted application that triggers the timing error, often resulting in a “double free” of memory blocks and subsequent heap corruption.
This enables the attacker to overwrite critical kernel memory, hijack the execution flow, and gain complete system control without authentication beyond initial low-privilege access.
The flaw affects all supported editions of Windows 10, Windows 11, and Windows Server, including those under Extended Security Updates (ESU) for end-of-life systems.
With a CVSS v3.1 base score of 7.0 (rated Important by Microsoft), exploitation is of low complexity but hinges on a race condition, making it reliable when chained with initial footholds such as phishing or remote code execution.
Microsoft’s Threat Intelligence Center flagged active in-the-wild use during its November 2025 Patch Tuesday, where patches for over 60 vulnerabilities were released on November 11.
Security researchers note that while public exploit code is not widespread, the vulnerability’s simplicity allows malware authors to pair it with other bugs for complete system compromise.
Real-world attacks likely involve post-compromise escalation, where threat actors harvest credentials, move laterally, or deploy ransomware after gaining a toehold.
CISA emphasizes its inclusion in the KEV catalog to aid vulnerability management, urging federal agencies and critical infrastructure to apply mitigations immediately.
Mitigation Strategies and Broader Implications
Organizations must deploy Microsoft’s November 2025 security updates promptly to address CVE-2025-62215, as no workarounds exist beyond patching.
For Windows 10 users outside ESU, an out-of-band update ensures enrollment compatibility, extending protection for legacy systems.
Beyond patching, enable layered defenses, such as application control, workstation privilege access controls on workstations, and behavioral monitoring, to detect anomalous kernel activity.
Network defenders should scan for indicators of exploitation, such as unusual privilege escalations or memory anomalies, using tools aligned with CISA’s BOD 22-01 guidance.
The addition to CISA’s KEV catalog now listing over 1,459 entries signals the escalation of zero-day threats, particularly in kernel components that underpin OS security.
This vulnerability joins recent Windows flaws, such as CVE-2025-59287 in WSUS, highlighting Microsoft’s role as a prime target for advanced persistent threats.
Enterprises in sectors like finance, healthcare, and government face heightened risks, as escalated privileges could enable data exfiltration or persistence.
By integrating KEV data into prioritization frameworks, defenders can stay ahead of evolving exploits.
 has added a critical zero-day vulnerability in the Microsoft Windows Kernel){kind=link}