Microsoft on Tuesday introduced patches for 57 vulnerabilities as a part of its December 2025 safety updates. Three of the bugs are zero-days, however just one is underneath lively exploitation.
The exploited zero-day, tracked as CVE-2025-62221 (CVSS rating of seven.8), is described as a use-after-free concern within the Home windows Cloud Information Mini Filter Driver.
Based on Microsoft, the profitable exploitation of the safety defect might permit attackers to raise their privileges to System on Home windows units.
The corporate notes that it’s conscious of this vulnerability being exploited within the wild, however has not shared particulars on the noticed assaults.
A second flaw resolved within the Cloud Information Mini Filter Driver, tracked as CVE-2025-62454 (CVSS rating of seven.8) and resulting in privilege escalation, can be prone to be exploited in assaults, the tech big warns.
Microsoft’s December 2025 Patch Tuesday updates additionally draw consideration to 2 command injections resulting in distant code execution, patched in Copilot for Jetbrains (CVE-2025-64671) and PowerShell (CVE-2025-54100).
Each points have been publicly disclosed earlier than patches have been launched, however are much less prone to be exploited in assaults, the corporate says. Nonetheless, proof-of-concept (PoC) exists for CVE-2025-64671.
Microsoft’s contemporary updates additionally handle 13 vulnerabilities within the Workplace suite, together with two marked as ‘crucial’, though they’ve a CVSS rating of 8.4, making them high-severity points.Commercial. Scroll to proceed studying.
The 2 flaws, tracked as CVE-2025-62554 and CVE-2025-62557, are described as kind confusion and use-after-free bugs that might permit distant attackers to execute arbitrary code.
Based on Microsoft, menace actors might exploit the vulnerabilities utilizing social engineering to persuade customers to click on on malicious hyperlinks. In each circumstances, Workplace’s Preview Pane is an assault vector.
“Within the worst-case e mail assault situation, an attacker might ship a specifically crafted e mail to the person with no requirement that the sufferer open, learn, or click on on the hyperlink. This might outcome within the attacker executing distant code on the sufferer’s machine,” Microsoft notes.
Different Microsoft merchandise that acquired fixes on the December 2025 Patch Tuesday embrace Visible Studio, Azure Monitor Agent, Hyper-V, Edge for iOS, and Software Info Service.
In 2025, Microsoft has rolled out patches for roughly 1,200 vulnerabilities. That is the second 12 months in a row throughout which the corporate has resolved over 1,000 flaws.
Associated: Microsoft Silently Mitigated Exploited LNK Vulnerability
Associated: Microsoft Patches Actively Exploited Home windows Kernel Zero-Day
Associated: Microsoft Highlights Safety Dangers Launched by New Agentic AI Function
Associated: Microsoft Unveils Safety Enhancements for Id, Protection, Compliance
