Microsoft December 2025 Patch Tuesday Addresses Zero-Days and 57 Vulnerabilities
Microsoft released its December 2025 Patch Tuesday updates, addressing 57 security vulnerabilities across its product suite, including three zero-day flaws. Among the most critical issues patched is CVE-2025-62221, an actively exploited elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver, which could allow attackers to gain SYSTEM privileges. The updates also include a fix for a remote code execution zero-day in PowerShell (CVE-2025-54100), which now prompts users with a security warning when using the Invoke-WebRequest command, and other critical vulnerabilities affecting Windows 10 and 11, as well as related server products. The updates are mandatory for supported systems, including those enrolled in the Extended Security Update (ESU) program, and require a system restart upon installation.
CISA has added CVE-2025-62221 to its Known Exploited Vulnerabilities Catalog, urging all organizations to prioritize remediation due to evidence of active exploitation. Security advisories and technical analyses from multiple sources highlight the importance of promptly applying these patches, as the vulnerabilities present significant risks for privilege escalation and remote code execution. The December update also marks the continued support for Windows 10 through ESU, with no new features introduced, focusing solely on security and bug fixes. Organizations are advised to review the full list of addressed CVEs and ensure all relevant systems are updated to mitigate potential threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
National and industry advisories urge rapid patching of CVE-2025-62221
On and after 2025-12-09, organizations including the Canadian Centre for Cyber Security and JPCERT/CC issued advisories highlighting active exploitation of CVE-2025-62221. They urged administrators to review Microsoft's guidance and prioritize deployment of the December security updates.
CISA adds CVE-2025-6218 and CVE-2025-62221 to KEV catalog
On 2025-12-09, CISA added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2025-6218 in WinRAR and CVE-2025-62221 in Microsoft Windows. CISA directed federal civilian agencies to remediate them by the required deadline under Binding Operational Directive 22-01.
Microsoft releases Windows 10 KB5071546 extended security update
On 2025-12-09, Microsoft released Windows 10 ESU update KB5071546 for eligible Enterprise LTSC and ESU customers. The update addressed the December security vulnerabilities, including zero-days, and advanced systems to builds 19045.6691 or 19044.6691 depending on version.
Microsoft releases Windows 11 December cumulative updates
On 2025-12-09, Microsoft published Windows 11 cumulative updates KB5072033 and KB5071417 for supported versions. The mandatory updates included security fixes, bug fixes, and feature improvements, and Microsoft said no optional December preview updates would be released because of the holiday period.
Microsoft updates PowerShell behavior to mitigate CVE-2025-54100
With the December 2025 security updates, Microsoft changed PowerShell 5.1 behavior so Invoke-WebRequest warns users and recommends the -UseBasicParsing switch. The change was introduced to reduce exploitation risk from the publicly disclosed PowerShell zero-day CVE-2025-54100.
Microsoft patches Office Preview Pane RCE flaws
As part of the 2025-12-09 release, Microsoft fixed critical Microsoft Office vulnerabilities CVE-2025-62554 and CVE-2025-62557. Multiple reports said these flaws could enable code execution through the Outlook Preview Pane or specially crafted emails, including low- or no-click attack scenarios.
Microsoft releases December 2025 Patch Tuesday security updates
On 2025-12-09, Microsoft released its December 2025 Patch Tuesday updates, fixing roughly 56-57 vulnerabilities across Windows, Office, PowerShell, Exchange, and other products. The release included three zero-days, with CVE-2025-62221 in the Windows Cloud Files Mini Filter Driver confirmed as actively exploited in the wild.
Microsoft's November Patch Tuesday introduces first Windows 10 ESU updates
In November 2025, Microsoft released the first Windows 10 Extended Security Updates (ESU) and patched a Windows Kernel zero-day, CVE-2025-62215. Microsoft also issued out-of-band fixes for Windows Update, XAML-dependent apps, a .LNK vulnerability, and an Excel attachment issue in the new Outlook client.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
29 references tracked. Mallory keeps watching after this page renders.
2025年12月マイクロソフトセキュリティ更新プログラムに関する注意喚起
jpcert.or.jp
Open sourceMicrosoft Patch Tuesday – December 2025
outpost24.com
Open sourceMicrosoft Patches Three Zero-Days Including Active Cloud Files UAF to SYSTEM and Copilot RCE
securityonline.info
Open sourceMicrosoft Patch Tuesday December 2025
thecyberthrone.in
Open sourceMicrosoft security advisory – December 2025 monthly rollup (AV25-822)
cyber.gc.ca
Open sourceDecember 2025 Security Updates
msrc.microsoft.com
Open sourceWindows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceDecember 2025 Patch Tuesday forecast: And it’s a wrap
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patch Tuesday December 2025 Addresses Actively Exploited Zero-Days
Microsoft released its December 2025 Patch Tuesday updates, addressing 57 security vulnerabilities across Windows 10, Windows 11, Windows Server, Office, and related services. Among these, three zero-day vulnerabilities were highlighted: CVE-2025-62221, an actively exploited privilege escalation flaw in the Windows Cloud Files Mini Filter Driver; CVE-2025-64671, a remote code execution vulnerability in GitHub Copilot for JetBrains; and CVE-2025-54100, a remote code execution issue in Windows PowerShell. The update also introduced a new warning in PowerShell to alert users when the `Invoke-WebRequest` command fetches web pages without safe parameters, aiming to prevent script-based attacks that exploit unsafe web content retrieval. Throughout 2025, Microsoft addressed a total of 1,130 CVEs via Patch Tuesday releases, with 41 zero-day vulnerabilities patched, including 24 that were exploited in the wild. Elevation of Privilege and Remote Code Execution vulnerabilities made up the majority of the year's patches, reflecting ongoing attacker focus on these vectors. The December update continues Microsoft's trend of prioritizing critical and important vulnerabilities, reinforcing the need for organizations to promptly apply security updates to mitigate active threats.
Mar 21, 2026
Microsoft December Patch Tuesday Addresses Multiple Actively Exploited Vulnerabilities
Microsoft released its December Patch Tuesday updates, addressing a total of 57 CVEs, including several critical vulnerabilities that have been actively exploited. Among the most notable is CVE-2025-62221, a Windows Cloud Files Mini Filter Driver flaw rated 7.8 on the CVSS scale, which allows local privilege escalation if an attacker already has code execution on the system. Microsoft confirmed this vulnerability is being exploited as a zero-day, underscoring the urgency for organizations to apply the patch. Additional high-severity vulnerabilities include a PowerShell Remote Code Execution flaw (CVE-2025-54100) and a GitHub Copilot for Jetbrains bug (CVE-2025-64671), both of which are publicly known but not yet observed in active exploitation. Separately, Microsoft also issued a fix for CVE-2025-9491, a high-severity vulnerability in Windows LNK files that has been actively exploited by both state-sponsored and cybercriminal groups. This flaw enables attackers to embed malicious commands in shortcut files, facilitating malware deployment and persistent access to compromised systems. Security experts emphasize the importance of prioritizing these patches, as the vulnerabilities are being leveraged in real-world attacks and could lead to significant compromise if left unaddressed.
Mar 21, 2026
Microsoft November 2025 Patch Tuesday Security Updates
Microsoft released security updates addressing 63 vulnerabilities as part of its November 2025 Patch Tuesday, including five rated as critical and one zero-day vulnerability actively exploited in the wild. The zero-day, tracked as CVE-2025-62215, is a Windows Kernel elevation of privilege flaw that allows a local, authenticated attacker to gain higher privileges due to a race condition. Other critical vulnerabilities include remote code execution issues in GDI+, Microsoft Office, and Visual Studio, as well as an elevation of privilege vulnerability in the DirectX Graphics Kernel. The GDI+ vulnerability (CVE-2025-60724) is particularly notable for its high CVSS score and the potential for exploitation via specially crafted metafiles, which could be triggered through documents or web services without user interaction. Security researchers note that while the number of vulnerabilities is significant, the overall risk profile is considered moderate, with no "Patch Now" emergencies aside from the actively exploited zero-day. The update also marks the first extended security update (ESU) for Windows 10, with Microsoft urging organizations still using the unsupported OS to upgrade or enroll in the ESU program. The vulnerabilities span a wide range of Microsoft products and services, including Azure, Dynamics 365, Visual Studio, and various Windows components, emphasizing the need for comprehensive patch management across enterprise environments.
Mar 21, 2026