Microsoft Patches 56 Flaws, Including Two Zero-Days Under Active Attack
▼ Summary
– Microsoft’s December 2025 security update patched 56 flaws, including one actively exploited vulnerability and two publicly known issues.
– The most critical patched flaw (CVE-2025-62221) is a privilege escalation bug in a Windows Cloud Files driver that has been added to a U.S. government mandatory-patch catalog.
– Two other notable zero-day vulnerabilities were patched: a command injection flaw in Windows PowerShell and one in GitHub Copilot for JetBrains.
– The GitHub Copilot vulnerability relates to broader security risks, dubbed “IDEsaster,” involving AI agents in development tools being tricked into running commands.
– In total, Microsoft addressed 1,275 security vulnerabilities in 2025, marking the third year it has patched over 1,000 flaws.
Microsoft has released its final security update for 2025, addressing a total of 56 newly identified vulnerabilities across its product ecosystem. This Patch Tuesday rollout includes fixes for three critical flaws and 53 issues rated as important, with two of the vulnerabilities already under active attack by malicious actors. The update brings the annual total of patched flaws to over 1,275, continuing a multi-year trend of addressing more than a thousand security issues each year.
The most pressing concern is CVE-2025-62221, a privilege escalation flaw in the Windows Cloud Files Mini Filter Driver that attackers are already exploiting. This vulnerability, which carries a CVSS score of 7.8, is a use-after-free bug that could allow an authenticated attacker to gain SYSTEM-level permissions on a compromised machine. The Cloud Files minifilter is a core Windows component used by services like OneDrive and iCloud, meaning it is present even on systems without those applications installed. Successful exploitation requires an attacker to first gain a foothold on the system through methods like phishing or another exploit, after which they can chain this flaw to take full control. Due to the active threats, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by December 30, 2025.
Another significant patched flaw is CVE-2025-54100, a command injection vulnerability in Windows PowerShell. This issue allows an unauthenticated attacker to execute arbitrary code in the security context of a user who runs a crafted command, such as Invoke-WebRequest. The risk escalates when combined with social engineering, as an attacker could trick a user into running a malicious PowerShell snippet, leading to code execution and the deployment of malware.
The updates also cover a vulnerability in GitHub Copilot for JetBrains, tracked as CVE-2025-64671. This command injection flaw, with a CVSS score of 8.4, is part of a broader set of security risks recently disclosed in AI-integrated development environments, dubbed “IDEsaster.” These attacks use prompt injection techniques against AI agents within IDEs, potentially leading to information disclosure or command execution. The researcher who discovered the flaw noted that multiple IDEs were found vulnerable to similar attacks, including Cursor, JetBrains Junie, and others.
Beyond these highlighted issues, the latest patch batch addresses 29 privilege escalation flaws, 18 remote code execution bugs, four information disclosure weaknesses, three denial-of-service issues, and two spoofing vulnerabilities. Microsoft also resolved 17 additional shortcomings in its Chromium-based Edge browser since the last Patch Tuesday, including a spoofing vulnerability in Edge for iOS.
This coordinated security effort underscores the continuous challenge of securing complex software ecosystems. Administrators and users are strongly advised to apply these updates promptly to protect systems from known exploits and emerging attack chains that leverage multiple vulnerabilities.
(Source: The Hacker News)
