Microsoft concluded 2025 with its December Patch Tuesday, releasing critical updates to address 56 security vulnerabilities across its product ecosystem. This significant release includes one zero-day vulnerability that has already been exploited in the wild, alongside two other publicly disclosed zero-days, underscoring the ongoing need for prompt patching.

Key Takeaways

• Microsoft patched a total of 56 vulnerabilities, with three rated Critical and 53 rated Important.

• One actively exploited zero-day (CVE-2025-62221) in the Windows Cloud Files Mini Filter Driver requires immediate attention.

• Two other zero-days, CVE-2025-54100 (PowerShell) and CVE-2025-64671 (GitHub Copilot for JetBrains), were also addressed.

• The company has now patched over 1,000 vulnerabilities for the second consecutive year.

Actively Exploited Zero-Day Threatens Windows Systems

The most urgent fix addresses CVE-2025-62221, a privilege escalation vulnerability within the Windows Cloud Files Mini Filter Driver. This flaw allows a local attacker with existing access to elevate their privileges to SYSTEM, granting them complete control over the affected system. Due to its active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated its patching for Federal Civilian Executive Branch agencies by December 30, 2025.

New Zero-Days in PowerShell and AI Development Tools

Microsoft also resolved two other publicly known zero-day vulnerabilities. CVE-2025-54100 is a command injection flaw in Windows PowerShell that could allow an attacker to execute arbitrary code by tricking a user into running a malicious PowerShell command.

Additionally, CVE-2025-64671 addresses a command injection vulnerability in GitHub Copilot for JetBrains. This issue highlights emerging security risks associated with AI-integrated development environments, where malicious inputs could bypass security measures and lead to code execution. This vulnerability is part of a broader class of issues researchers have termed "IDEsaster."

Broader Vulnerability Landscape and Annual Tally

Beyond the zero-days, the December update includes a range of vulnerabilities, such as privilege escalation, remote code execution, information disclosure, denial-of-service, and spoofing flaws. Microsoft's total patched vulnerabilities for 2025 reached 1,275, marking the third time in Patch Tuesday's history that the company has addressed over 1,000 CVEs in a single year. Security professionals are urged to prioritize these updates to mitigate risks from both known and actively exploited threats.

Sources

• Microsoft Issues Security Fixes for 56 Flaws, Including Active Exploit and Two Zero-Days, The Hacker News.

• Microsoft ends year with patch for exploited zero day, Techzine Global.

• Microsoft Patch Tuesday, December 2025 Edition – Krebs on Security, Krebs on Security.

• Microsoft December 2025 Patch Tuesday Fixes 50+ Vulnerabilities, Including 3 Zero-Day Flaws, LinkedIn.

• Microsoft issues major update to patch 56 security flaws, Businessday NG.