October 2025 Patch Tuesday was one for the record books in so many ways. There was a big push by Microsoft to fix as many open vulnerabilities as possible in products that were reaching end-of-life (EOL). This included 116 CVEs addressed in Windows 10 and an astronomical 134 CVEs addressed in Windows 11, because don’t forget Windows 11 22H2 Enterprise and Education editions also reached EOL.
Microsoft also ended security support for many applications, including older versions of Office and Exchange Server. Which brings us to the question, when will those EOL on-premises versions of Windows Exchange Server really disappear? Based on the news, not anytime soon.
Windows 11 23H2 Pro reaches end of life next week
The massive EOL saga, which began last month, comes to a close next week with the final security update for Windows 11 23H2 Professional. Don’t panic because Windows 11 23H2, Education and Enterprise Editions still have another year of support ending on November 10, 2026. In case you missed it, check out my article from last month covering the final updates and recommended migration paths for Office 2016 and 2019, Exchange Server 2016 and 2019, and finally Windows 10.
The first Extended Security Updates (ESU) for Windows 10 22H2 will show up this month for those of you who are subscribed. Not all versions reached EOL; Windows 10 Enterprise LTSC 2021 and Windows 10 IoT Enterprise LTSC 2021 still have several years of support. There are some reports of these systems providing an incorrect EOL warning following application of the October updates so be aware, but Microsoft stated this is not an issue and the November updates will apply normally.
CISA and NSA publish joint recommendations to protect EOL Exchange servers
The announcements for Exchange Server EOL versions were made well in advance of the final security updates last month, but it is often a slow, painful and costly process for large organizations to move from on-premises or hybrid mail servers to a full cloud infrastructure provided by Microsoft 365.
The news has been full of articles detailing the number of vulnerable servers online and the associated attacks against them. In response, multiple security agencies including CISA, NSA, Australian Signals Directorate, and others, have combined their talent and released a document on Microsoft Exchange Server Security Best Practices. This document provides security recommendations and mitigations to harden on-premises and often EOL Exchange Server systems as cloud or upgrade alternatives are in progress.
This list of recommendations is not meant to be all-inclusive, but it does provide an excellent reference for those who are in transition.
Critical WSUS Vulnerability actively exploited
We saw a repeat patch release this month that could have been included in my August article titled Try, try again. On October Patch Tuesday, Microsoft released a fix for CVE-2025-59287 in 7 KBs for Windows Server versions 2012 through 2025. The remote code execution vulnerability in Windows Server Update Service (WSUS) carries a CVSS 3.1 of 9.8 and a Critical severity. This fix impacted hot patching on Windows Server 2025 and was re-released in out-of-band update KB5070881 to address the issue.
It was also reported that there may have been some additional changes around the fix for this vulnerability. Regardless, this vulnerability and these patches deserve special attention for two reasons. First, there are still five reported Known Issues in the KB ranging from Active Directory to continued Hot Patch concerns, so you will want to double-check that they install properly.
Second, and more importantly, CISA and others have reported there is now active exploitation of the vulnerability and proof-of-concept code is available. If you haven’t deployed this update on its own, make sure it is part of your November patch cycle.
Looking forward to next week and the forecast, Microsoft did announce they have a fix for Windows 11 24H2 issue where a cumulative update would fail due to language pack conflict. This fix was provided in the Preview last week and will be available next week in the general updates.
November 2025 Patch Tuesday forecast
- The number of CVEs should drop dramatically this month. We should get a break from .NET framework and Exchange Server updates next week. A Windows SQL Server update is possible. Anticipate the expected OS, Office, and SharePoint patches although there will be fewer binaries with fewer versions now supported.
- Adobe seems to rotate which Creative Cloud apps get updates, so anticipate InDesign and Photoshop this month. Adobe Acrobat and Reader received an update in September, so Adobe may want to make sure they are up to date going into the shopping holidays with a release next week.
- Apple provided major security updates across all their operating systems and for Safari on November 3. If you haven’t already, include those updates in your November patch cycle.
- Google released Chrome beta 143.0.7499.17 for Windows, Mac and Linux today, so expect that version on Patch Tuesday.
- Mozilla released a security update for Firefox 144 on October 30. I would expect another product wide release next week and most likely on Patch Tuesday.
This November 2025 Patch Tuesday may be the first step towards the new normal. There are far fewer Microsoft applications available in standalone, on-premises form and fewer OS versions still in support (if you don’t include those with ESUs). We can all be happy with fewer updates to manage, but we’ll see how it plays out next week. It may be a little early, but Happy Thanksgiving to those of you here in the US.