Microsoft Patches 3 Zero-Days, 57 Flaws in December Update

Microsoft’s December 2025 Patch Tuesday security release addresses a total of 57 distinct vulnerabilities, a critical monthly update for system administrators. This batch includes fixes for three zero-day flaws, with one confirmed as actively exploited by attackers and two others that were publicly disclosed prior to a patch being available. Among the resolved issues are three critical remote code execution vulnerabilities that demand immediate attention. The breakdown of the patched flaws includes 28 elevation of privilege vulnerabilities, 19 remote code execution bugs, 4 information disclosure issues, 3 denial of service flaws, and 2 spoofing vulnerabilities. It is important to note that this count pertains specifically to updates released on Patch Tuesday and does not include the 15 Microsoft Edge flaws or Mariner vulnerabilities patched earlier in the month.

The single actively exploited zero-day is tracked as CVE-2025-62221, a privilege elevation vulnerability in the Windows Cloud Files Mini Filter Driver. Microsoft describes it as a “use after free” flaw that permits an authorized attacker to elevate privileges locally, ultimately granting SYSTEM-level access. The Microsoft Threat Intelligence Center and Microsoft Security Response Center discovered the issue, though specific details on the exploitation methods have not been publicly shared.

The two publicly disclosed zero-days are also significant. The first, CVE-2025-64671, is a remote code execution vulnerability in GitHub Copilot for Jetbrains. This command injection flaw could allow an unauthorized attacker to execute code locally through a malicious Cross Prompt Injection in untrusted files or MCP servers. Researcher Ari Marzuk disclosed this vulnerability as part of a report on a novel class of AI IDE vulnerabilities. The second, CVE-2025-54100, is a PowerShell remote code execution vulnerability. It could cause scripts embedded in a webpage to be executed when the page is retrieved using the `Invoke-WebRequest` cmdlet. Microsoft has implemented a warning prompt that recommends using the `-UseBasicParsing` switch to prevent unintended code execution.

For organizations, applying these updates promptly is a fundamental security practice. Delays in patching can leave systems exposed to known exploits, particularly for the actively exploited zero-day and the critical remote code execution flaws in Microsoft Office components like Outlook. The comprehensive list of patched software is extensive, covering core Windows components, Microsoft Office applications, Azure services, Exchange Server, and development tools like GitHub Copilot.

A complete table of the resolved vulnerabilities, including their CVE identifiers, titles, and severity ratings, is provided below for detailed reference. This list enables IT teams to cross-reference their environments and prioritize deployments based on the specific products and services they operate. Consistent and timely application of these security updates remains the most effective defense against potential attacks leveraging these now-public vulnerabilities.

CVE Vulnerabilities Table

(Source: NewsAPI Tech Headlines)