Microsoft December 2025 Patch Tuesday Fixes 3 Zero-Days, 57 Flaws
Summary:
As part of the Microsoft December Patch Tuesday, the vendor addressed 57 flaws, including three zero-days. Of the 57 flaws addressed, there were 28 Elevation of Privilege Vulnerabilities, 19 Remote Code Execution Vulnerabilities, 4 Information Disclosure Vulnerabilities, 3 Denial of Service Vulnerabilities, and 2 Spoofing Vulnerabilities. 3 flaws have been rated critical in severity, which could allow actors to execute code remotely on vulnerable systems:
In addition to Microsoft, other vendors also released security updates in December:
Security Officer Comments:
This month's Patch Tuesday addresses three zero-day vulnerabilities, one of which is actively being exploited in attacks, while the other two have been publicly disclosed. The actively exploited zero-day, tracked as CVE-2025-62221, affects the Windows Cloud Files Mini Filter Driver. This vulnerability is a use-after-free issue that can lead to a local privilege escalation, allowing attackers to elevate their privileges to SYSTEM level.
In addition to the actively exploited flaw, two publicly disclosed zero-days have also been patched. CVE-2025-64671 is a critical vulnerability in GitHub Copilot for JetBrains, which allows an attacker to execute arbitrary commands on a local machine via command injection. This can be triggered through a Cross Prompt Injection in untrusted files or MCP servers.
The second publicly disclosed flaw, CVE-2025-54100, affects PowerShell and could allow an attacker to execute remote code via malicious scripts embedded in webpages. The vulnerability arises due to improper neutralization of command elements when using the Invoke-WebRequest cmdlet, potentially allowing an attacker to inject malicious code into the web request process.
Suggested Corrections:
Organizations should review the list of vulnerabilities resolved and apply the relevant patches as needed. To access the full list of vulnerabilities addressed, please use the link below:
https://www.bleepingcomputer.com/mi...ts/Microsoft-Patch-Tuesday-December-2025.html
Link(s):
https://www.bleepingcomputer.com/ne...025-patch-tuesday-fixes-3-zero-days-57-flaws/
As part of the Microsoft December Patch Tuesday, the vendor addressed 57 flaws, including three zero-days. Of the 57 flaws addressed, there were 28 Elevation of Privilege Vulnerabilities, 19 Remote Code Execution Vulnerabilities, 4 Information Disclosure Vulnerabilities, 3 Denial of Service Vulnerabilities, and 2 Spoofing Vulnerabilities. 3 flaws have been rated critical in severity, which could allow actors to execute code remotely on vulnerable systems:
- CVE-2025-62554: Microsoft Office Remote Code Execution Vulnerability
- CVE-2025-62557: Microsoft Office Remote Code Execution Vulnerability
- CVE-2025-62562: Microsoft Outlook Remote Code Execution Vulnerability
In addition to Microsoft, other vendors also released security updates in December:
- Adobe released security updates for ColdFusion, Experience Manager, DNG SDK, Acrobat Reader, and Creative Cloud Desktop.
- Fortinet released security updates for multiple products, including a critical FortiCloud SSO Login Authentication Bypass flaw.
- Google has released Android's December security bulletin, which includes fixes for two actively exploited vulnerabilities.
- Ivanti released security patches as part of its December 2025 Patch Tuesday updates, which include a fix for a 9.6/10 Stored XSS flaw in Ivanti Endpoint Manager.
- React released security updates for a critical RCE flaw in React Server Components. The flaw, dubbed React2Shell, is now widely exploited in attacks.
- SAP released the December security updates for multiple products, including a fix for a 9.9/10 code injection flaw in SAP Solution Manager.
Security Officer Comments:
This month's Patch Tuesday addresses three zero-day vulnerabilities, one of which is actively being exploited in attacks, while the other two have been publicly disclosed. The actively exploited zero-day, tracked as CVE-2025-62221, affects the Windows Cloud Files Mini Filter Driver. This vulnerability is a use-after-free issue that can lead to a local privilege escalation, allowing attackers to elevate their privileges to SYSTEM level.
In addition to the actively exploited flaw, two publicly disclosed zero-days have also been patched. CVE-2025-64671 is a critical vulnerability in GitHub Copilot for JetBrains, which allows an attacker to execute arbitrary commands on a local machine via command injection. This can be triggered through a Cross Prompt Injection in untrusted files or MCP servers.
The second publicly disclosed flaw, CVE-2025-54100, affects PowerShell and could allow an attacker to execute remote code via malicious scripts embedded in webpages. The vulnerability arises due to improper neutralization of command elements when using the Invoke-WebRequest cmdlet, potentially allowing an attacker to inject malicious code into the web request process.
Suggested Corrections:
Organizations should review the list of vulnerabilities resolved and apply the relevant patches as needed. To access the full list of vulnerabilities addressed, please use the link below:
https://www.bleepingcomputer.com/mi...ts/Microsoft-Patch-Tuesday-December-2025.html
Link(s):
https://www.bleepingcomputer.com/ne...025-patch-tuesday-fixes-3-zero-days-57-flaws/