News
Microsoft Wraps 2025 Patch Tuesday With Fixes for 3 Zero-Day
Microsoft ended 2025 with its final Patch Tuesday release, issuing fixes for 56 vulnerabilities across Windows, Office and several other products. The December update includes three zero-day flaws — one confirmed to be under active attack and two that were publicly disclosed before patches became available.
The smaller list of fixes wraps up a year in which Microsoft addressed 1,275 vulnerabilities. Security researchers said that, even with a light month, IT teams should move quickly to address the exploited zero-day and two critical Office issues that can be triggered through the Preview Pane.
Zero-Day Fixes Lead December Update
The most urgent patch this month covers
CVE-2025-62221, an elevation-of-privilege bug in the Windows Cloud Files Mini Filter Driver. Microsoft confirmed the flaw is already being weaponized. The use-after-free condition gives low-privileged attackers a route to SYSTEM-level access once they have a foothold.
"The real impact of this vulnerability emerges when attackers chain it with other weaknesses," said Mike Walters, president and co-founder of Action1. "After gaining low-privileged access through phishing, a browser exploit, or an application RCE, they can use CVE-2025-62221 to escalate to SYSTEM and take full control of the host."
The Cloud Files Mini Filter Driver, which supports cloud storage features tied to OneDrive and similar services, operates deep inside the Windows kernel. That position makes the impact of exploitation severe, giving attackers full control of affected machines. All supported Windows versions are vulnerable, including Windows 10 version 1809, the latest Windows 11 releases and Windows Server 2025.
A second zero-day, CVE-CVE-2025-54100, affects Windows PowerShell and involves a command injection issue that became public before Microsoft released a fix. Attackers could run arbitrary code when users execute commands such as Invoke-WebRequest to retrieve Web content.
To close the gap, Microsoft modified PowerShell so that users now receive a warning when Invoke-WebRequest is invoked. Continuing the command requires adding the -UseBasicParsing parameter. Administrators may need to adjust automated scripts and scheduled tasks that depend on the cmdlet.
The final zero-day, CVE-2025-64671, targets GitHub Copilot for JetBrains IDEs. The command injection flaw stems from malicious cross-prompt interactions in untrusted files or Model Context Protocol servers. Although the issue was publicly disclosed, Microsoft said it has not observed active exploitation.
Critical Office Preview Pane Vulnerabilities
Alongside the zero-days, Microsoft patched two critical remote code execution vulnerabilities in Office:
CVE-2025-62554 and
CVE-2025-62557. Both can be triggered through Outlook's Preview Pane. In practice, that means a user could scroll past a crafted message or file and unintentionally trigger malicious code.
Tyler Reguly, associate director of security R&D at Fortra, pointed out that these vulnerabilities mark the 11th straight month of critical Office flaws tied to the Preview Pane.
"Vulnerabilities that don't rely on user interaction are vulnerabilities that we want to pay attention to," Reguly said. He advised CISOs to keep the two Office flaws in mind as they plan 2026 email security investments.
The Office bugs are use-after-free issues and have CVSS scores of 8.4. Microsoft rated exploitation as "Less Likely," though the lack of required clicks raises the overall risk.
Year Ends With Smaller Patch Load
With 56 vulnerabilities addressed in December, the month represents a noticeable drop from the roughly 106 fixes Microsoft averaged throughout 2025. December's total accounts for about 5.5 percent of yearly patches rather than the expected 8.3 percent.
The contrast is especially sharp when compared with January 2025, which opened the year with 159 vulnerabilities, including eight zero-days. Security teams have spent much of the year navigating a steady flow of critical issues, making December's reduced count a brief reprieve.
The full list of December security bulletins can be found here.