Microsoft December Patch Tuesday Addresses Multiple Actively Exploited Vulnerabilities
Microsoft released its December Patch Tuesday updates, addressing a total of 57 CVEs, including several critical vulnerabilities that have been actively exploited. Among the most notable is CVE-2025-62221, a Windows Cloud Files Mini Filter Driver flaw rated 7.8 on the CVSS scale, which allows local privilege escalation if an attacker already has code execution on the system. Microsoft confirmed this vulnerability is being exploited as a zero-day, underscoring the urgency for organizations to apply the patch. Additional high-severity vulnerabilities include a PowerShell Remote Code Execution flaw (CVE-2025-54100) and a GitHub Copilot for Jetbrains bug (CVE-2025-64671), both of which are publicly known but not yet observed in active exploitation.
Separately, Microsoft also issued a fix for CVE-2025-9491, a high-severity vulnerability in Windows LNK files that has been actively exploited by both state-sponsored and cybercriminal groups. This flaw enables attackers to embed malicious commands in shortcut files, facilitating malware deployment and persistent access to compromised systems. Security experts emphasize the importance of prioritizing these patches, as the vulnerabilities are being leveraged in real-world attacks and could lead to significant compromise if left unaddressed.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Microsoft releases December Patch Tuesday updates
Microsoft issued patches for 57 CVEs in its December 2025 Patch Tuesday release. The update included fixes for one actively exploited zero-day, CVE-2025-62221, a local privilege escalation flaw in the Windows Cloud Files Mini Filter Driver.
Notepad++ releases v8.8.9 to fix exploited updater flaw
Notepad++ published version 8.8.9 to remediate a critical updater vulnerability that attackers in China had been exploiting to hijack update traffic and deliver malware. The release was highlighted alongside other December 2025 security fixes.
Ivanti fixes critical Endpoint Manager XSS vulnerability
Ivanti patched CVE-2025-10573, a critical cross-site scripting flaw in Endpoint Manager that could enable remote code execution and session hijacking. Researchers warned that exploitation could let attackers compromise all managed endpoints, though no active attacks were reported at disclosure.
Fortinet patches two critical authentication bypass flaws
Fortinet released fixes for CVE-2025-59718 and CVE-2025-59719, two critical authentication bypass vulnerabilities affecting multiple products when FortiCloud SSO login is enabled. The issues were disclosed as part of the December 2025 patch cycle.
Microsoft fixes exploited Windows LNK vulnerability in November updates
Microsoft addressed CVE-2025-9491 in its November 2025 security updates by changing LNK file behavior to block the shortcut-file abuse technique. The patch followed reports of active exploitation by multiple threat actors.
Multiple threat groups exploit Windows LNK flaw CVE-2025-9491
At least 11 state-sponsored and cybercriminal groups, including Evil Corp, Bitter, APT37, APT43, Mustang Panda, SideWinder, RedHotel, and Konni, exploited CVE-2025-9491 in Windows LNK files to hide malicious commands and deliver malware such as Ursnif, Gh0st RAT, Trickbot, and PlugX RAT. The flaw enabled stealthy malware deployment and persistence through padded shortcut Target fields.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patch Tuesday December 2025 Addresses Actively Exploited Zero-Days
Microsoft released its December 2025 Patch Tuesday updates, addressing 57 security vulnerabilities across Windows 10, Windows 11, Windows Server, Office, and related services. Among these, three zero-day vulnerabilities were highlighted: CVE-2025-62221, an actively exploited privilege escalation flaw in the Windows Cloud Files Mini Filter Driver; CVE-2025-64671, a remote code execution vulnerability in GitHub Copilot for JetBrains; and CVE-2025-54100, a remote code execution issue in Windows PowerShell. The update also introduced a new warning in PowerShell to alert users when the `Invoke-WebRequest` command fetches web pages without safe parameters, aiming to prevent script-based attacks that exploit unsafe web content retrieval. Throughout 2025, Microsoft addressed a total of 1,130 CVEs via Patch Tuesday releases, with 41 zero-day vulnerabilities patched, including 24 that were exploited in the wild. Elevation of Privilege and Remote Code Execution vulnerabilities made up the majority of the year's patches, reflecting ongoing attacker focus on these vectors. The December update continues Microsoft's trend of prioritizing critical and important vulnerabilities, reinforcing the need for organizations to promptly apply security updates to mitigate active threats.
Mar 21, 2026
Microsoft December 2025 Patch Tuesday Addresses Zero-Days and 57 Vulnerabilities
Microsoft released its December 2025 Patch Tuesday updates, addressing 57 security vulnerabilities across its product suite, including three zero-day flaws. Among the most critical issues patched is CVE-2025-62221, an actively exploited elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver, which could allow attackers to gain SYSTEM privileges. The updates also include a fix for a remote code execution zero-day in PowerShell (CVE-2025-54100), which now prompts users with a security warning when using the `Invoke-WebRequest` command, and other critical vulnerabilities affecting Windows 10 and 11, as well as related server products. The updates are mandatory for supported systems, including those enrolled in the Extended Security Update (ESU) program, and require a system restart upon installation. CISA has added CVE-2025-62221 to its Known Exploited Vulnerabilities Catalog, urging all organizations to prioritize remediation due to evidence of active exploitation. Security advisories and technical analyses from multiple sources highlight the importance of promptly applying these patches, as the vulnerabilities present significant risks for privilege escalation and remote code execution. The December update also marks the continued support for Windows 10 through ESU, with no new features introduced, focusing solely on security and bug fixes. Organizations are advised to review the full list of addressed CVEs and ensure all relevant systems are updated to mitigate potential threats.
Mar 21, 2026
Active Exploitation of Windows Cloud Files Mini Filter Driver and WinRAR Vulnerabilities
Microsoft released security updates addressing 56 vulnerabilities across its Windows platform, including a critical use-after-free flaw in the Windows Cloud Files Mini Filter Driver (CVE-2025-62221) that has been actively exploited in the wild. This vulnerability allows local attackers to escalate privileges to SYSTEM level, posing a significant risk to Windows systems, especially those using cloud storage features like OneDrive, Google Drive, or iCloud. The December 2025 Patch Tuesday also included fixes for other critical and important vulnerabilities, with Microsoft having patched over 1,000 CVEs for the second consecutive year. CISA has added both CVE-2025-62221 and CVE-2025-5618 to its Known Exploited Vulnerabilities (KEV) catalog, highlighting their active exploitation and the urgent need for remediation. CVE-2025-5618 is a directory traversal remote code execution vulnerability in WinRAR, allowing attackers to craft malicious archives that bypass directory restrictions and execute arbitrary code upon extraction. Both vulnerabilities are being leveraged in real-world attacks, prompting federal agencies and organizations to prioritize patching to prevent persistence, lateral movement, and data exfiltration by threat actors.
Mar 21, 2026