Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | December 2025 Patch Tuesday: 3 Zero-Days Fixed, CVE-2025-62221 Actively Exploited
Dec 10, 2025
8 Mins Read
Jun 03, 2026
Moon

December 2025 Patch Tuesday: 3 Zero-Days Fixed, CVE-2025-62221 Actively Exploited

Microsoft has released its December 2025 Patch Tuesday updates, addressing 57 security vulnerabilities across Windows, Office, and other Microsoft components. This month’s rollout includes three zero-day vulnerabilities – one actively exploited and two publicly disclosed – alongside three critical-rated flaws that require immediate attention.

Vulnerability Breakdown by Type:

The December patch cycle once again highlights Microsoft’s focus on Elevation of Privilege (EoP) and Remote Code Execution (RCE) flaws, which together account for the majority of the vulnerabilities fixed this month.

Zero-Day Vulnerabilities Addressed in December 2025

The December 2025 Patch Tuesday updates include three zero-day vulnerabilities – one that attackers are already exploiting and two that were publicly disclosed ahead of the patch release. All three can enable local privilege escalation or code execution, making them high-priority fixes.

CVE-2025-62221 (CVSS 7.8) – Windows Cloud Files Mini Filter Driver Elevation of Privilege

Microsoft patched a flaw in the Cloud Files Mini Filter Driver that attackers are actively exploiting to gain SYSTEM-level permissions. The bug involves unsafe memory handling and lets someone with local access jump to the highest privilege level on a device.

Details of CVE-2025-62221 (SOCRadar Labs, CVE Radar)

Details of CVE-2025-62221 (SOCRadar Labs, CVE Radar)

Because this weakness plays well into post-compromise attack chains, and has already been exploited, CISA has added CVE-2025-62221 to the Known Exploited Vulnerabilities (KEV) catalog, setting a remediation deadline of December 30, 2025.

Affected organizations should treat this zero-day as an immediate patching priority, especially on systems relying on OneDrive or other cloud file synchronization features.

CVE-2025-64671 (CVSS 8.4) – Copilot Local Command Injection

One of the publicly disclosed zero-days affects Copilot, where certain command inputs weren’t being sanitized properly. In practical terms, an attacker could craft a file or prompt sequence that causes Copilot to run additional commands on the local machine.

Although Microsoft classifies it as “Remote Code Execution,” exploitation still requires local execution – meaning the attacker must trick a user into opening the malicious file or interacting with a manipulated prompt. This makes broad exploitation less likely, but environments that rely heavily on Copilot for automation should patch quickly.

Details of CVE-2025-64671 (SOCRadar Labs, CVE Radar)

Details of CVE-2025-64671 (SOCRadar Labs, CVE Radar)

CVE-2025-54100 (CVSS 7.8) – PowerShell Local Command Injection

The second disclosure affects PowerShell, specifically when using the Invoke-WebRequest command. In some situations, PowerShell could unintentionally execute script content embedded in retrieved web pages.

After patching, users will notice a new security prompt warning about possible script execution risk and recommending the -UseBasicParsing option:

Security Warning: Script Execution Risk

Invoke-WebRequest parses the content of the web page. Script code in the web page might be run when the page is parsed.

RECOMMENDED ACTION:

Use the -UseBasicParsing switch to avoid script code execution.

Do you want to continue?

Details of CVE-2025-54100 (SOCRadar Labs, CVE Radar)

Details of CVE-2025-54100 (SOCRadar Labs, CVE Radar)

While this vulnerability also requires local execution and user interaction, it could be abused through crafted downloads or social engineering scenarios, making timely patching important for automation-heavy workflows.

Strengthen Vulnerability Prioritization with SOCRadar

With dozens of new vulnerabilities disclosed each month, knowing which issues require immediate action can be challenging. SOCRadar’s Vulnerability Intelligence, part of the platform’s Cyber Threat Intelligence module, helps security teams cut through the noise by delivering context-rich insights on exploitation activity, threat actors, and emerging trends.

SOCRadar’s Vulnerability Intelligence: Latest CVEs & Hacker Trends

SOCRadar’s Vulnerability Intelligence: Latest CVEs & Hacker Trends

With SOCRadar, you can:

  • Identify and prioritize high-risk vulnerabilities based on vendor, product, severity, and real-world exploit signals.
  • Monitor exploit development and map CVEs to active threat campaigns for informed decision-making.
  • Follow each vulnerability’s evolution, from disclosure to potential weaponization, enabling quicker and more accurate remediation planning.

Critical Vulnerabilities in December 2025 Patch Tuesday

Microsoft has addressed three Critical-severity vulnerabilities in this month’s update cycle, affecting core productivity applications such as Office and Outlook.

  • CVE-2025-62554 (CVSS 8.4) – Microsoft Office Remote Code Execution Vulnerability
  • CVE-2025-62557 (CVSS 8.4) – Microsoft Office Remote Code Execution Vulnerability
  • CVE-2025-62562 (CVSS 7.8) – Microsoft Outlook Remote Code Execution Vulnerability

These vulnerabilities share a similar risk profile: an attacker could trigger RCE simply by convincing a user to open a malicious document or email. Because Office and Outlook are common entry points for phishing and document-based attacks, organizations should prioritize patching end-user systems to prevent exploitation through everyday workflows.

High-Risk Vulnerabilities to Watch in December Patch Tuesday

Alongside the Critical fixes, Microsoft has flagged several Elevation of Privilege vulnerabilities as more likely to be exploited in real-world attacks. These weaknesses are found across key Windows components such as the Storage VSP driver, Cloud Files Mini Filter, Win32k, and other core system drivers commonly targeted in post-compromise activity.

  • CVE-2025-59516 (CVSS 7.8) – Windows Storage VSP Driver Elevation of Privilege Vulnerability
  • CVE-2025-59517 (CVSS 7.8) – Windows Storage VSP Driver Elevation of Privilege Vulnerability
  • CVE-2025-62454 (CVSS 7.8) – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
  • CVE-2025-62458 (CVSS 7.8) – Win32k Elevation of Privilege Vulnerability
  • CVE-2025-62470 (CVSS 7.8) – Windows Common Log File System Driver Elevation of Privilege Vulnerability
  • CVE-2025-62472 (CVSS 7.8) – Windows Remote Access Connection Manager Elevation of Privilege Vulnerability

Although none of these vulnerabilities are known to be exploited at the time of release, their role in privilege escalation chains makes them attractive candidates for attackers once technical details emerge. Prioritizing these patches will help reduce exposure to lateral movement and ensure that December’s updates close off common escalation paths used during intrusions.

Patch Now – Apply the December 2025 Microsoft Security Updates

Security teams should prioritize patching systems exposed to user interaction or document handling and review Microsoft’s release note for the full list of addressed CVEs.

But, even after patches are applied, understanding what remains exposed is critical. SOCRadar Attack Surface Management (ASM) continuously maps internet-facing assets, identifies unpatched vulnerabilities, and surfaces configuration weaknesses that attackers commonly abuse.

By pairing ASM’s real-time visibility with your monthly update workflow, security teams can:

  • Detect overlooked or newly exposed assets.
  • Validate whether critical patches have been applied across the attack surface.
  • Focus remediation on the systems most likely to be targeted.
SOCRadar’s ASM module, Company Vulnerabilities

SOCRadar’s ASM module, Company Vulnerabilities

Combining proactive patching with continuous external monitoring helps organizations stay resilient against rapidly evolving threats.

Other Notable Security Updates from Major Vendors (December 2025)

Beyond Microsoft’s Patch Tuesday release, several major enterprise vendors issued important security updates this month.

SAP Releases 14 Security Notes, Including Three Critical Flaws

SAP’s December 2025 Security Patch Day advisory includes 14 new notes, three of which are critical-severity issues.

  • CVE-2025-42880 (CVSS 9.9) – Code injection in Solution Manager, notable for its potential to grant administrative-level access across connected SAP systems.
  • CVE-2025-55754 & CVE-2025-55752 (CVSS 9.6) – Two Apache Tomcat RCE vulnerabilities affecting Commerce Cloud.
  • CVE-2025-42928 (CVSS 9.1) – Deserialization vulnerability in jConnect SDK for Sybase ASE.

Additional high priority notes address Denial of Service (DoS) risks in NetWeaver and BusinessObjects, along with information disclosure and memory corruption issues affecting Web Dispatcher, ICM, and S/4HANA Private Cloud. SAP has not reported exploitation in the wild and recommends prompt patching.

Fortinet Patches Critical SAML Authentication Bypass Issues

Fortinet issued patches for 18 vulnerabilities, including two critical flaws:

  • CVE-2025-59718 & CVE-2025-59719 (CVSS 9.8) – Improper cryptographic signature verification in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, allowing attackers to bypass FortiCloud SSO authentication.

The issues affect devices that have FortiCloud login enabled during registration. Administrators are advised to temporarily disable FortiCloud SSO until patches are applied.

Ivanti Fixes Critical RCE Vulnerability in Endpoint Manager

Ivanti patched four vulnerabilities in Endpoint Manager (EPM), including:

  • CVE-2025-10573 (CVSS 9.6) – A stored XSS flaw leading to RCE when malicious scan data is displayed in the admin dashboard.

Three additional high-severity bugs include arbitrary file write, path traversal, and improper signature verification issues, some requiring user interaction. According to Ivanti’s advisory, no exploitation has been reported.

Adobe Issues Nearly 140 Patches Across ColdFusion, AEM, and Creative Cloud

Adobe released updates for almost 140 security issues, including critical vulnerabilities in ColdFusion and Adobe Experience Manager (AEM).

  • In ColdFusion, 12 flaws could allow remote code execution, including CVE-2025-61808, CVE-2025-61809, and CVE-2025-61830 (CVSS 9.1).
  • AEM received fixes for 117 vulnerabilities, most of them XSS flaws, with two rated critical (CVE-2025-64537, 64539).

Additional fixes landed for Adobe DNG SDK, Acrobat, Reader, and Creative Cloud Desktop. Adobe rates ColdFusion and AEM updates as Priority 1, urging immediate deployment.