Microsoft December 2025 Patch Tuesday: One Zero-Day Exploited in the Wild, 57 Total Fixes
🛡️ Security

Microsoft December 2025 Patch Tuesday: One Zero-Day Exploited in the Wild, 57 Total Fixes

Microsoft's final Patch Tuesday of 2025 addresses 57 vulnerabilities including three zero-days—one actively exploited in attacks.

WindowsPatch TuesdayZero-DayCVEForticloud

Microsoft released its December 2025 Patch Tuesday updates today, fixing 57 vulnerabilities across Windows, Office, Exchange Server, and other products. Three zero-day flaws were addressed—one actively exploited in the wild, and two publicly disclosed with proof-of-concept exploits available. This marks Microsoft's final security update of the year, capping what has been the second-largest patch volume in company history.

Actively Exploited: CVE-2025-62221 (Patch Immediately)

The most critical vulnerability this month is CVE-2025-62221 (CVSS 7.8), a use-after-free vulnerability in the Windows Cloud Files Mini Filter Driver. Microsoft has confirmed this flaw is being actively exploited in attacks, though the company has not shared details about the nature or scope of these attacks.

Successful exploitation allows local privilege escalation to SYSTEM level—the highest privilege tier on Windows systems. The vulnerability affects all supported Windows versions, including Windows 10, Windows 11, and all Windows Server editions from 2016 onward.

CISA has already added CVE-2025-62221 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch within 21 days. Private organizations should treat this with equal urgency.

"Given that this vulnerability is seeing active exploitation and could lead to SYSTEM level access, this should be the priority for patching this month." — Dustin Childs, Trend Micro Zero Day Initiative

Two Publicly Disclosed Zero-Days

CVE-2025-64671: GitHub Copilot for JetBrains RCE

CVE-2025-64671 (CVSS 8.4) is a remote code execution vulnerability in GitHub Copilot for JetBrains IDEs. The flaw enables command injection through a technique researchers call "cross-prompt injection."

Attackers can exploit this by crafting malicious content in untrusted files or MCP (Model Context Protocol) servers. When Copilot processes these files, attackers can piggyback commands onto those already permitted by the user's terminal auto-approve settings. A proof-of-concept exploit is publicly available.

This vulnerability is part of broader research called "IDEsaster: A Novel Vulnerability Class in AI IDEs," which identified similar flaws across multiple AI coding assistants. Dustin Childs of the Zero Day Initiative warns: "I expect we'll see many more bugs like these in 2026."

CVE-2025-54100: PowerShell Remote Code Execution

CVE-2025-54100 (CVSS 7.8) is a command injection flaw in PowerShell. Scripts embedded in webpages can execute when fetched via the Invoke-WebRequest cmdlet.

Microsoft's fix adds a warning prompting users to add the -UseBasicParsing flag. This is particularly concerning given PowerShell's extensive use in offensive tooling and security automation scripts.

Full Vulnerability Breakdown

This month's 57 vulnerabilities break down as follows:

28 Elevation of Privilege — Including the actively exploited CVE-2025-62221

19 Remote Code Execution — Two rated Critical (both in Microsoft Office)

4 Information Disclosure

3 Denial of Service

2 Spoofing

2 Critical severity — Both RCE flaws in Microsoft Office

Critical Microsoft Office Vulnerabilities

Two Critical-rated vulnerabilities in Microsoft Office deserve attention: CVE-2025-62554 and CVE-2025-62557 (both CVSS 8.4). These are type confusion and use-after-free bugs that allow arbitrary code execution via malicious documents.

The Office Preview Pane is an attack vector—simply previewing a malicious document in Outlook or Explorer can trigger exploitation. Email-based attacks don't require victims to click links; receiving and previewing a message is sufficient.

2025: A Record-Breaking Year for Patches

With December's release, Microsoft patched approximately 1,139-1,150 CVEs in 2025—the second-largest annual volume in company history, trailing 2020 by only 11 CVEs. This marks the second consecutive year Microsoft has exceeded 1,000 patches, reflecting both increasing software complexity and improved vulnerability discovery.

Other Notable Security Updates This Week

Microsoft isn't the only vendor releasing critical patches this week:

Fortinet: Two critical CVSS 9.1 flaws (CVE-2025-59718, CVE-2025-59719) enabling FortiCloud SSO bypass

Ivanti: CVSS 9.6 stored XSS flaw in Endpoint Manager

Notepad++: Critical flaw in v8.8.9 reportedly being exploited in China

Android: December security bulletin includes two actively exploited flaws

Recommended Actions

Security teams should prioritize the following:

1. Patch CVE-2025-62221 immediately — Active exploitation makes this your top priority

2. Update all Windows systems — Both client and server editions

3. Update GitHub Copilot for JetBrains — If using AI coding tools in your development environment

4. Review PowerShell scripts — Audit usage of Invoke-WebRequest without -UseBasicParsing

5. Plan for holiday staffing — Don't delay due to year-end; automate where possible

With year-end holidays approaching, security teams may face reduced staffing. However, the active exploitation of CVE-2025-62221 makes immediate action critical. Consider automated patch deployment where testing permits, and ensure incident response procedures are documented for skeleton crews. Threat actors don't take holidays—neither should your patch management.

Learn More

For background on the security concepts mentioned in this article, see our Learn section: What is a Zero-Day? covers vulnerability disclosure and exploitation timelines. Our guide on Encryption Explained provides context on the cryptographic protections these patches help maintain.

← Back to All News