Microsoft's December 2025 Patch Tuesday release addresses 72 vulnerabilities across multiple products, including Windows, Edge, and Microsoft Office.
Highlights of the December Release
The latest Patch Tuesday includes fixes for three zero-day vulnerabilities, one of which is actively exploited. These zero-days involve command injection and use-after-free flaws impacting Windows and PowerShell, among others. Notably, the December update rectifies 15 issues in Microsoft Edge (Chromium-based) and addresses risks in Windows Hyper-V, Message Queuing, and the Defender Firewall Service.
- 72 vulnerabilities addressed, including 3 critical and 55 important ones.
- 3 zero-day vulnerabilities fixed; 1 is actively exploited.
- 15 Microsoft Edge issues resolved.
Key Vulnerabilities and Fixes
Among the critical fixes, a command injection flaw in the Windows Copilot could allow unauthorized remote code execution. Additionally, another zero-day involves a use-after-free flaw in the Windows Cloud Files Mini Filter Driver, potentially leading to SYSTEM privileges. CISA has highlighted the urgency for these patches, particularly advising updates before 2025-12-30.
Other significant vulnerabilities include privilege elevation faults in Microsoft Office and Outlook, which could lead to remote code execution. CVE-2025-62454, CVE-2025-62458, and CVE-2025-62470 are particularly notable for their potential impacts on system security.
Affected Products and Advice
The security updates affect a range of products, including Windows PowerShell, Projected File System, Storage VSP Driver, and SharePoint. Users should apply these updates promptly to mitigate risk exposure. The upcoming Patch Tuesday is scheduled for 2025-01-13, and regular updates are recommended to maintain a strong security posture.
