Full Report
3Critical53Important0Moderate0LowMicrosoft addresses 56 CVEs, including two publicly disclosed vulnerabilities and one zero-day that was exploited in the wild to close out the final Patch Tuesday of 2025Microsoft patched 56 CVEs in its December 2025 Patch Tuesday release, with three rated critical, and 53 rated as important.This month’s update includes patches for:Application Information ServicesAzure Monitor AgentCopilotMicrosoft Brokering File SystemMicrosoft Edge for iOSMicrosoft Exchange ServerMicrosoft Graphics ComponentMicrosoft OfficeMicrosoft Office AccessMicrosoft Office ExcelMicrosoft Office OutlookMicrosoft Office SharePointMicrosoft Office WordStorvsp.sys DriverWindows Camera Frame Server MonitorWindows Client-Side Caching (CSC) ServiceWindows Cloud Files Mini Filter DriverWindows Common Log File System DriverWindows DWM Core LibraryWindows Defender Firewall ServiceWindows DirectXWindows Hyper-VWindows InstallerWindows Message QueuingWindows PowerShellWindows Projected File SystemWindows Projected File System Filter DriverWindows Remote Access Connection ManagerWindows Resilient File System (ReFS)Windows Routing and Remote Access Service (RRAS)Windows ShellWindows Storage VSP DriverWindows Win32K - GRFXElevation of privilege (EoP) vulnerabilities accounted for 50% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 33.9%.ImportantCVE-2025-62221 | Windows Cloud Files Mini Filter Driver Elevation of Privilege VulnerabilityCVE-2025-62221 is an EoP vulnerability in the Windows Cloud Files Mini Filter Driver. It was assigned a CVSSv3 score of 7.8 and rated as important. A local, authenticated attacker could exploit this vulnerability to elevate to SYSTEM privileges. According to Microsoft, this vulnerability was exploited in the wild as a zero-day.Microsoft also patched two additional EoP vulnerabilities in the Windows Cloud Files Mini Filter Driver, CVE-2025-62454 and CVE-2025-62457. Both were assigned the same CVSSv3 score of 7.8 and rated important. However, CVE-2025-62454 was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index while CVE-2025-62457 was assessed as “Exploitation Unlikely.”ImportantCVE-2025-64671 | GitHub Copilot for Jetbrains Remote Code Execution VulnerabilityCVE-2025-64671 is a RCE vulnerability in the GitHub Copilot Plugin for JetBrains Integrated Development Environments (IDEs). It was assigned a CVSSv3 score of 8.4, rated important and assessed as “Exploitation Less Likely” The issue stems from a command injection vulnerability in GitHub Copilot. An attacker could leverage a “malicious Cross Prompt Inject” either through an MCP Server or untrusted files. Successful exploitation would grant an attacker the ability to append unapproved commands onto existing allowed commands due to the ‘auto-approve’ setting in the terminal.This vulnerability has been dubbed IDEsaster by security researcher, Ari Marzuk who is credited for reporting this vulnerability to Microsoft.ImportantCVE-2025-54100 | PowerShell Remote Code Execution VulnerabilityCVE-2025-54100 is a RCE vulnerability in Windows PowerShell. This vulnerability was assigned a CVSSv3 score of 7.8 and is rated as important. According to the advisory, this RCE was publicly disclosed prior to a patch being made available. The advisory notes that after installing the update, a warning prompt will be displayed anytime the Invoke-WebRequest command is used.This vulnerability was attributed to several researchers including Justin Necke, DeadOverflow, Pēteris Hermanis Osipovs, Anonymous, Melih Kaan Yıldız and Osman Eren. The researcher known as DeadOverflow has a YouTube video demonstrating how this flaw can be abused and links to a HackerOne report opened with the curl project by another researcher. According to the HackerOne report, the issue was not related to curl, but rather appeared to be related to the PowerShell curl alias that utilizes Invoke-WebRequest.ImportantCVE-2025-62458 | Win32k Elevation of Privilege VulnerabilityCVE-2025-62458 is an EoP vulnerability affecting Microsoft’s Win32k, a core kernel-side driver used in Windows. This vulnerability received a CVSSv3 score of 7.8, was rated as important and assessed as “Exploitation More Likely.” Successful exploitation of this vulnerability would allow an attacker to gain SYSTEM level privileges on an affected host.Including CVE-2025-62458, this is the ninth EoP vulnerability affecting Win32k addressed by Microsoft in 2025, with 14 EoP flaws addressed in the driver throughout 2024.CriticalCVE-2025-62554 and CVE-2025-62557 | Microsoft Office Remote Code Execution VulnerabilityCVE-2025-62554 and CVE-2025-62557 are RCE vulnerabilities affecting Microsoft Office. Both received CVSSv3 scores of 8.4 and were rated as critical. An attacker could exploit these flaws through social engineering by sending the malicious Microsoft Office document file to an intended target. Successful exploitation would grant code execution privileges to the attacker.Despite being flagged as “Less Likely” to be exploited, Microsoft notes that the Preview Pane is an attack vector for both vulnerabilities, which means exploitation does not require the target to open the file. According to the advisories from Microsoft, security updates for Microsoft Office LTSC for Mac are not yet available and will be released as soon as they are ready.Tenable SolutionsA list of all the plugins released for Microsoft’s December 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft's December 2025 Security UpdatesTenable plugins for Microsoft December 2025 Patch Tuesday Security UpdatesJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
Here is the summary of the key vulnerabilities from the December 2025 Microsoft Patch Tuesday, focusing on the most critical and noteworthy findings:
---
## Vulnerability: Windows Cloud Files Mini Filter Driver Zero-Day (CVE-2025-62221)
## CVE Details
- CVE ID: CVE-2025-62221
- CVSS Score: 7.8 (Important)
- CWE: Not explicitly listed, related to Elevation of Privilege (EoP)
## Affected Systems
- Products: Windows Cloud Files Mini Filter Driver
- Versions: Not specified, assumed to be applicable Windows versions prior to patching.
- Configurations: Requires a local, authenticated attacker.
## Vulnerability Description
This is an Elevation of Privilege (EoP) vulnerability residing in the Windows Cloud Files Mini Filter Driver. Successful exploitation allows a local, authenticated attacker to escalate their privileges to the **SYSTEM** level.
## Exploitation
- Status: **Exploited in the wild (Zero-day)**
- Complexity: Local, Authenticated
- Attack Vector: Local
## Impact
- Confidentiality: High (If exploited to SYSTEM)
- Integrity: High (If exploited to SYSTEM)
- Availability: Moderate/High
## Remediation
### Patches
- Security updates released in the December 2025 Patch Tuesday addressing this CVE.
### Workarounds
- No specific workarounds provided in the summary other than applying the patch.
## Detection
- Detection methods related to Tenable plugins covering the December 2025 updates.
## References
- Microsoft's December 2025 Security Updates (Link provided in original document)
***
## Vulnerability: Microsoft Office Remote Code Execution (CVE-2025-62554 & CVE-2025-62557 - Critical)
## CVE Details
- CVE ID: CVE-2025-62554 and CVE-2025-62557
- CVSS Score: 8.4 (Critical)
- CWE: Not explicitly listed, related to Remote Code Execution (RCE)
## Affected Systems
- Products: Microsoft Office (including Access, Excel, Outlook, SharePoint, Word)
- Versions: Not specified, prior to patching.
- Configurations: Targets users who receive malicious Office document files. **The Preview Pane is noted as an attack vector**, meaning opening the file may not be required for exploitation.
## Vulnerability Description
These are two distinct Remote Code Execution (RCE) vulnerabilities impacting Microsoft Office suite components. An attacker can achieve code execution by sending a specially crafted Microsoft Office document file to a target.
## Exploitation
- Status: Not listed as exploited *in the wild*, but rated Critical.
- Complexity: Depends on social engineering to deliver the file.
- Attack Vector: Adjacent Network/Delivery (via malicious file).
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- Security updates released in the December 2025 Patch Tuesday addressing these CVEs.
- **Note:** Security updates for **Microsoft Office LTSC for Mac** are pending release.
### Workarounds
- Users should exercise extreme caution when opening unsolicited Office documents.
- If possible, disable or restrict the use of the Outlook/File Explorer Preview Pane until patches are applied.
## Detection
- Detection methods related to Tenable plugins covering the December 2025 updates.
## References
- Microsoft's December 2025 Security Updates (Link provided in original document)
***
## Other Notable Vulnerabilities
| CVE ID | Severity | Type | CVSS | Exploitation Status | Affected Product Snippet | Notes |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
| **CVE-2025-64671** | Important | RCE | 8.4 | N/A | GitHub Copilot for JetBrains IDEs | Command Injection via "malicious Cross Prompt Inject" due to terminal 'auto-approve' setting. Dubbed "IDEsaster". |
| **CVE-2025-54100** | Important | RCE | 7.8 | Publicly Disclosed | Windows PowerShell | Publicly disclosed prior to patch. Installing the update causes a warning prompt for the `Invoke-WebRequest` command. |
| **CVE-2025-62458** | Important | EoP | 7.8 | N/A | Win32k (Kernel-side driver) | Elevation of Privilege to SYSTEM level. Assessed as "Exploitation More Likely." |
| **CVE-2025-62221 (Related)** | Important | EoP | 7.8 | Exploited in the wild | Windows Cloud Files Mini Filter Driver | Local, authenticated attacker achieves SYSTEM privileges. (See primary entry above). |
---
## General Mitigation Strategy
Microsoft patched **56 CVEs** in total, with **3 Critical** and **53 Important** ratings. **50%** of the addressed flaws were **Elevation of Privilege (EoP)** vulnerabilities.
**Action:** Apply all December 2025 security updates immediately. Scan environments regularly using Tenable plugins to confirm remediation status.