Microsoft has released updates resolving 88 new CVEs, four of which are rated Critical. The updates affect the Windows OS, Office, SQL Server, Exchange Server, .Net and Visual Studio. Two of the CVEs are confirmed to be exploited, two CVEs are publicly disclosed, and there is an advisory for Sharepoint Server.  

Zero-day vulnerabilities 

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Task Scheduler (CVE-2024-49039). The vulnerability is rated Important and has a CVSS v3.1 score of 8.8. The vulnerability is confirmed to be exploited. The vulnerability requires an attacker to run a specially crafted application on the target system to exploit the vulnerability and elevate their privileges to a Medium integrity level. The vulnerability affects Windows 10 and later OS editions including Windows 11 24H2 and Server 2025. From a risk-based prioritization perspective, the vulnerability should be treated as Critical.  

Microsoft has resolved a Spoofing vulnerability in NTLM (CVE-2024-43451). The vulnerability is rated Important and has a CVSS v3.1 score of 6.5. The vulnerability has been confirmed to be exploited and has been publicly disclosed. If exploited, this vulnerability discloses a user’s NTLMv2 to the attacker who could use it to authenticate as the user. The attack would require minimal interaction with a malicious file, such as selecting (single-click), inspecting (right-click) or performing actions on the file. The vulnerability affects Server 2008 and later Windows OS editions, including Windows 11 24H2 and Server 2025. From a risk-based prioritization perspective, the vulnerability should be treated as Critical.  

Public disclosures, third-party vulnerabilities and security advisories 

Active Directory Certificate Services 

Microsoft has resolved an Elevation of Privilege vulnerability in Active Directory Certificate Services (CVE-2024-49019). The vulnerability is rated Important and has a CVSS v3.1 score of 7.8. The vulnerability has been publicly disclosed. If exploited, the attacker could gain domain administrator privileges. The vulnerability does provide additional mitigations including removing overly broad enroll or auto-enroll permissions, removing unused templates from certificate authorities and securing templates that allow you to specify the subject in the request. The vulnerability affects Windows Server 2008 and later Server OS editions. From a risk-based perspective, a public disclosure puts this vulnerability at a higher risk of being exploited and may warrant treating the vulnerability as a higher severity.  

Microsoft Exchange Server 

Microsoft has resolved a Spoofing vulnerability in Microsoft Exchange Server (CVE-2024-49040). The vulnerability is rated Important and has a CVSS v3.1 score of 7.5. The vulnerability has been publicly disclosed and exploit code maturity is Proof-of-Concept level making exploitation much easier for threat actors. The vulnerability exists in the P2 From header verification. Starting with the Exchange Server November 2024 Security Update, Exchange Server can detect and flag email messages that contain potentially malicious patterns in the P2 From header. By default, a message will be prepended to the message warning of suspicious behavior. Additional mail flow rules can be configured to automatically reject messages that exhibit suspicious behavior. Microsoft Exchange Server is often targeted by threat actors who specialize in Exchange exploits. From a risk-based prioritization perspective, the public disclosure and availably of PoC-level exploit code warrants treating this vulnerability as Critical.  

Microsoft Defender 

Microsoft has resolved an OpenSSL library vulnerability in Microsoft Defender (CVE-2024-5535). The vulnerability is rated as Important by Microsoft and has a CVSS v3.1 score of 9.1. The vulnerability affects Microsoft Defender Endpoint for iOS and Android, Azure Linux 3.0 and CVL Mariner. To exploit the vulnerability, an attacker could send a malicious link to a victim via email or convince the user to click a link. The attacker could also send a specially crafted email to the user without the need for them to open, read or click the link.  

SharePoint Server 

Microsoft has released a Defense in Depth update for SharePoint Server (ADV240001). The update does not include a severity or have any associated CVEs; it is just informing about the availability of defense in depth updates for SharePoint Server.  

Third-party updates  

Adobe has released eight updates this month. All updates are rated Priority 3 by Adobe. Guidance from Adobe for Priority 3 updates: This update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion. 

Google Chrome has released an update on November Patch Tuesday which did not include CVEs in their release notes.  

November update priorities:  

  • The Microsoft Windows OS updates should be your top priority this month as they resolve both known and exploited vulnerabilities.  
  • Microsoft Exchange Server should be a priority for organizations running Exchange Server. The public disclosure with proof-of-concept puts this vulnerability at elevated risk of exploitation.