Microsoft on Tuesday announced patches for 57 vulnerabilities as part of its December 2025 security updates. Three of the bugs are zero-days, but only one is under active exploitation.
The exploited zero-day, tracked as CVE-2025-62221 (CVSS score of 7.8), is described as a use-after-free issue in the Windows Cloud Files Mini Filter Driver.
According to Microsoft, the successful exploitation of the security defect could allow attackers to elevate their privileges to System on Windows devices.
The company notes that it is aware of this vulnerability being exploited in the wild, but has not shared details on the observed attacks.
A second flaw resolved in the Cloud Files Mini Filter Driver, tracked as CVE-2025-62454 (CVSS score of 7.8) and leading to privilege escalation, is also likely to be exploited in attacks, the tech giant warns.
Microsoft’s December 2025 Patch Tuesday updates also draw attention to two command injections leading to remote code execution, patched in Copilot for Jetbrains (CVE-2025-64671) and PowerShell (CVE-2025-54100).
Both issues have been publicly disclosed before patches were released, but are less likely to be exploited in attacks, the company says. However, proof-of-concept (PoC) exists for CVE-2025-64671.
Microsoft’s fresh updates also address 13 vulnerabilities in the Office suite, including two marked as ‘critical’, although they have a CVSS score of 8.4, making them high-severity issues.
The two flaws, tracked as CVE-2025-62554 and CVE-2025-62557, are described as type confusion and use-after-free bugs that could allow remote attackers to execute arbitrary code.
According to Microsoft, threat actors could exploit the vulnerabilities using social engineering to convince users to click on malicious links. In both cases, Office’s Preview Pane is an attack vector.
“In the worst-case email attack scenario, an attacker could send a specially crafted email to the user without a requirement that the victim open, read, or click on the link. This could result in the attacker executing remote code on the victim’s machine,” Microsoft notes.
Other Microsoft products that received fixes on the December 2025 Patch Tuesday include Visual Studio, Azure Monitor Agent, Hyper-V, Edge for iOS, and Application Information Service.
In 2025, Microsoft has rolled out patches for roughly 1,200 vulnerabilities. This is the second year in a row during which the company has resolved over 1,000 flaws.
Related: Microsoft Silently Mitigated Exploited LNK Vulnerability
Related: Microsoft Patches Actively Exploited Windows Kernel Zero-Day
Related: Microsoft Highlights Security Risks Introduced by New Agentic AI Feature
Related: Microsoft Unveils Security Enhancements for Identity, Defense, Compliance
