It’s the final patch Tuesday of 2025, but that doesn’t make it any less exciting. Put aside your holiday planning for just a moment as we review the latest security offering from Adobe and Microsoft. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for December 2025
For December, Adobe released five bulletins addressing 139 unique CVEs in Adobe Reader, ColdFusion, Experience Manager, Creative Cloud Desktop, and the Adobe DNG Software Development Kit (SDK). Don’t panic at that large of a CVE count. Most of those are simple cross-site scripting (XSS) bugs in Adobe Experience Manager. There are a few Critical-rated DOM-based XSS bugs in the mix, so don’t ignore this patch by any means – just don’t panic at the large number of CVEs. I wouldn’t panic over the update for ColdFusion either, but Adobe does set the deployment priority for this fix as 1. They note there are no known active attacks for the CVEs, but there are several arbitrary code execution bugs being fixed. Also, if you’re running ColdFusion, make sure you check out one of their lockdown guides. The one for ColdFusion 2025 can be found here.
The update for Adobe Reader is smaller than expected, with only two of the four CVEs addressed leading to code execution. Not that I’m complaining – I just expected more. The patch for the Adobe DNG Software Development Kit also fixes four CVEs, with one of those leading to code execution. Finally, the update for Creative Cloud Desktop fixes a single Important-rated bug.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Besides the fix for ColdFusion, all of the updates released by Adobe this month are listed as deployment priority 3.
Microsoft Patches for December 2025
Microsoft ends the year by releasing a paltry 56 new CVEs in Windows and Windows components, Office and Office Components, Microsoft Edge (Chromium-based), Exchange Server, Azure, Copilot, PowerShell, and Windows Defender. One of these bugs came through the ZDI program. Of the patches released today, three are rated Critical while the rest are rated Important in severity. Counting the third-party Chromium updates listed in the release, it brings to total number of CVEs to 70.
Counting the CVEs released today, that being Microsoft’s total count to 1,139 CVEs patched in 2025. Again, this is not counting the numerous updates for Azure Linux and CBL Mariner released earlier this month as these should be considered Linux CVEs being applied to Azure properties. That makes 2025 the second-largest year in volume, trailing 2020 by a mere 111 CVEs. AS Microsoft’s portfolio continues to increase and as AI bugs become more prevalent, this number is likely to go higher in 2026.
Microsoft lists one bug under active attack, but two others as publicly known at the time of the release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:
- CVE-2025-62221 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
This is the only bug listed as under active attack for this month, and – at least on the surface – looks similar to a bug patched in October. However, the bug back in October was a race condition where this is a Use After Free (UAF). It allows an attacker to perform a privilege escalation on an affected system. These types of bugs are often combined with a code execution bug to take over a system. It appears to affect every supported version of Windows, so if you must prioritize, this should be on the top of your list.
- CVE-2025-62554/62557 - Microsoft Office Remote Code Execution Vulnerability
Here we are again, looking at two Office bugs where the Preview Pane is an attack vector. For those counting (like me), that makes 11 months in a row with a Critical-rated Office bug, including the Preview Pane as an attack vector. If you’re a Mac user, you are out of luck, as updates for Office LTSC for Mac 2021 and 2024 are not available. Let’s hope Microsoft gets those out before exploitation begins.
- CVE-2025-62562 - Microsoft Outlook Remote Code Execution Vulnerability
At first glance, I thought this was another Preview Pane issue, but it isn’t. In fact, this is only rated Critical for SharePoint Enterprise Server 2016 – it’s rated Important for everything else. However, the CVSS is the same (7.8) for all affected platforms. For this bug, the attacker would need to convince a user to reply to a specially crafted email. It’s not clear why this is worse on SharePoint 2016, but if you are running this version in your enterprise, don’t skip this update.
- CVE-2025-64671 - GitHub Copilot for Jetbrains Remote Code Execution Vulnerability
This is the bug listed as publicly known, and it’s a command injection bug in Copilot that allows an unauthorized user to execute their code on an affected system. It’s listed as local, but it’s likely that a remote attacker could socially engineer someone to trigger the command injection. By exploiting a malicious cross-prompt injection in untrusted files or Model Context Protocol (MCP) servers, an attacker could piggyback extra commands onto those permitted by the user’s terminal auto-approve settings, causing them to be executed without further confirmation. I expect we’ll see many more bugs like these in 2026.
Here’s the full list of CVEs released by Microsoft for December 2025:
| CVE | Title | Severity | CVSS | Public | Exploited | Type |
| CVE-2025-62221 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | EoP |
| CVE-2025-64671 | GitHub Copilot for Jetbrains Remote Code Execution Vulnerability | Important | 8.4 | Yes | No | RCE |
| CVE-2025-54100 † | PowerShell Remote Code Execution Vulnerability | Important | 7.8 | Yes | No | RCE |
| CVE-2025-62554 | Microsoft Office Remote Code Execution Vulnerability | Critical | 8.4 | No | No | RCE |
| CVE-2025-62557 | Microsoft Office Remote Code Execution Vulnerability | Critical | 8.4 | No | No | RCE |
| CVE-2025-62562 | Microsoft Outlook Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
| CVE-2025-62572 | Application Information Service Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-62550 | Azure Monitor Agent Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-62463 | DirectX Graphics Kernel Denial of Service Vulnerability | Important | 6.5 | No | No | DoS |
| CVE-2025-62465 | DirectX Graphics Kernel Denial of Service Vulnerability | Important | 6.5 | No | No | DoS |
| CVE-2025-62573 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-62552 | Microsoft Access Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-62469 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-62569 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2025-62553 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-62556 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-62560 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-62561 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-62563 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-62564 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-64666 † | Microsoft Exchange Server Elevation of Privilege Vulnerability | Important | 7.5 | No | No | EoP |
| CVE-2025-64667 † | Microsoft Exchange Server Spoofing Vulnerability | Important | 5.3 | No | No | Spoofing |
| CVE-2025-62455 | Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-64672 | Microsoft SharePoint Server Spoofing Vulnerability | Important | 8.8 | No | No | Spoofing |
| CVE-2025-62555 | Microsoft Word Remote Code Execution Vulnerability | Important | 7 | No | No | RCE |
| CVE-2025-62558 | Microsoft Word Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-62559 | Microsoft Word Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2025-62458 | Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-62570 | Windows Camera Frame Server Monitor Information Disclosure Vulnerability | Important | 7.1 | No | No | Info |
| CVE-2025-62466 | Windows Client-Side Caching Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-62454 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-62457 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-62470 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-62468 | Windows Defender Firewall Service Information Disclosure Vulnerability | Important | 4.4 | No | No | Info |
| CVE-2025-64670 | Windows DirectX Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2025-64679 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-64680 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-62565 | Windows File Explorer Elevation of Privilege Vulnerability | Important | 7.3 | No | No | EoP |
| CVE-2025-64658 | Windows File Explorer Elevation of Privilege Vulnerability | Important | 7.5 | No | No | EoP |
| CVE-2025-62567 | Windows Hyper-V Denial of Service Vulnerability | Important | 5.3 | No | No | DoS |
| CVE-2025-62571 | Windows Installer Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-55233 | Windows Projected File System Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-62461 | Windows Projected File System Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-62462 | Windows Projected File System Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-62464 | Windows Projected File System Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-62467 | Windows Projected File System Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-62472 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-62474 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-62456 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-62473 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2025-62549 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2025-64678 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | EoP |
| CVE-2025-64661 | Windows Shell Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-59516 | Windows Storage VSP Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-59517 | Windows Storage VSP Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-64673 | Windows Storage VSP Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2025-62223 * | Microsoft Edge (Chromium-based) for Mac Spoofing Vulnerability | Low | 4.3 | No | No | Spoofing |
| CVE-2025-13630 * | Chromium: CVE-2025-13630 Type Confusion in V8 | High | N/A | No | No | RCE |
| CVE-2025-13631 * | Chromium: CVE-2025-13631 Inappropriate implementation in Google Updater | High | N/A | No | No | RCE |
| CVE-2025-13632 * | Chromium: CVE-2025-13632 Inappropriate implementation in DevTools | High | N/A | No | No | RCE |
| CVE-2025-13633 * | Chromium: CVE-2025-13633 Use after free in Digital Credentials | High | N/A | No | No | RCE |
| CVE-2025-13634 * | Chromium: CVE-2025-13634 Inappropriate implementation in Downloads | Medium | N/A | No | No | Info |
| CVE-2025-13720 * | Chromium: CVE-2025-13720 Bad cast in Loader | Medium | N/A | No | No | SFB |
| CVE-2025-13721 * | Chromium: CVE-2025-13721 Race in v8 | Medium | N/A | No | No | RCE |
| CVE-2025-13635 * | Chromium: CVE-2025-13635 Inappropriate implementation in Downloads | Low | N/A | No | No | Info |
| CVE-2025-13636 * | Chromium: CVE-2025-13636 Inappropriate implementation in Split View | Low | N/A | No | No | Info |
| CVE-2025-13637 * | Chromium: CVE-2025-13637 Inappropriate implementation in Downloads | Low | N/A | No | No | Info |
| CVE-2025-13638 * | Chromium: CVE-2025-13638 Use after free in Media Stream | Low | N/A | No | No | RCE |
| CVE-2025-13639 * | Chromium: CVE-2025-13639 Inappropriate implementation in WebRTC | Low | N/A | No | No | Info |
| CVE-2025-13640 * | Chromium: CVE-2025-13640 Inappropriate implementation in Passwords | Low | N/A | No | No | Info |
* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.
† Indicates further administrative actions are required to fully address the vulnerability.
Since we’ve already covered all of the Critical-rated CVEs, let’s move straight into looking at the other code execution bugs patched in the December release. As expected, most are Office-related open-and-own bugs where the Preview Pane is not an attack vector. There’s also the now ubiquitous bug in the RRaS service. There’s a bug in the Windows Resilient File System (ReFS) resulting from a heap overflow that could be reached over the network, but authentication is required. That’s similar to the bug in Azure Monitor. According to Microsoft, “An attacker with local network access to an Azure Linux Virtual Machine running Azure Monitor could exploit a heap overflow to escalate privileges to the syslog user, enabling execution of arbitrary commands.” The fix for the PowerShell bug is the other publicly known vulnerability this month and will require more than just a patch. The bug itself is a simple command injection, but after applying the update, when you use the Invoke-WebRequest command, you’ll receive a security warning message. You’ll also likely need to reboot after installing the patch, so make sure you complete that to fully address the vulnerability.
Moving on to the privilege escalation bugs receiving patches this month, most simply lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. The bug in Windows Shell could lead to elevating levels of code execution integrity – moving from Low to Medium integrity to escape AppContainer isolation. The vulnerability in RRAS requires an authenticated and domain-joined user, but it could allow an attacker to execute code on a target system. There’s an odd bug in the Brokering File System that’s listed as Elevation of Privilege, but it reads as a Denial of Service (DoS). A standard user could crash a system through a UAF. That sure does sound like a local DoS to me. Finally, there’s a bug in Exchange server that was reported by the National Security Agency (NSA). Microsoft says exploitation is unlikely, but NSA. It does seem like a fair amount of preparation is needed to exploit this bug, but NSA. Also, updates for Exchange Server 2016 and 2019 are not available as they are out of support. If you’re still using those you need to upgrade to the Extended Security Update (ESU) program.
Speaking of Exchange, there’s also a spoofing bug in the server that allows attackers to spoof the “From” email address displayed to the user. This bug was not reported by the NSA, but still, the UI misrepresentation could be used by attackers to spoof critical information. Kudos to Microsoft for deciding to fix the issue. The other spoofing bug corrected this month is in SharePoint and manifests as a cross-site scripting (XSS) bug.
There are only four information disclosure bugs getting patched this month, and fortunately, all of these bugs only result in info leaks consisting of unspecified memory contents or memory addresses. The bug in Windows Defender also requires the attacker to be a part of a specific user group.
The December release contains fixes for three Denial-of-Service (DoS) bugs, and their descriptions mirror what we saw in the November release. While they all state that an attacker could deny service over a network (or locally) to that component, the two DirectX Graphics Kernel bugs state they could be used by a low-privilege Hyper-V guest to cause a DoS on the Hyper-V environment. It’s not clear how this would occur, but it if you’re running Hyper-V, don’t overlook these patches.
No new advisories are being released this month.
Looking Ahead
We start the patch process again in 2026 on January 13, and I’ll be back then with my analysis and thoughts about the release. Until then, merry christmahanakwanzika, stay safe, happy patching, and may all your reboots be smooth and clean!
