Microsoft Patch Tuesday December 2025: 56 Fixes Including One Zero‑Day

TL;DR

Microsoft released December Patch Tuesday updates addressing 56 security flaws, including a zero‑day privilege escalation and two publicly disclosed bugs. The company closed out 2025 having patched 1,129 vulnerabilities, an 11.9% rise from 2024.

What happened

On December 9, Microsoft issued its final Patch Tuesday updates of 2025, correcting at least 56 security flaws across Windows and related software. The set includes a zero‑day (CVE-2025-62221), a privilege‑escalation defect in the Windows Cloud Files Mini Filter Driver that is already being exploited. Microsoft also addressed two publicly disclosed remote‑code vulnerabilities: one in the GitHub Copilot Plugin for JetBrains (CVE-2025-64671) and another in Windows PowerShell on Server 2008 and later (CVE-2025-54100). Only three bugs this month received Microsoft’s “critical” rating, including two Office flaws exploitable via the Preview Pane (CVE-2025-62554 and CVE-2025-62557) and a separate Outlook issue (CVE-2025-62562). Microsoft highlighted several non‑critical privilege escalation bugs as most likely to be targeted, and security researchers warned that those classes of flaws are commonly used in host compromises. Over the year Microsoft patched 1,129 vulnerabilities, an 11.9% increase over 2024.

Why it matters

• A zero‑day being actively exploited raises immediate risk for unpatched systems.
• Privilege escalation bugs are frequently used in post‑compromise activity and lateral movement.
• The Cloud Files mini‑filter is a core Windows component used by cloud sync services, increasing potential attack surface even on systems without third‑party cloud apps.
• Vulnerabilities in AI coding tools (the so‑called “IDEsaster” cluster) show a broader risk vector tied to integrated development environments and LLM plugins.

Key facts

• December 2025 Patch Tuesday fixed at least 56 security flaws.
• Zero‑day: CVE-2025-62221 — privilege escalation in Windows Cloud Files Mini Filter Driver (Windows 10 and later).
• Two publicly disclosed fixes included CVE-2025-64671 (GitHub Copilot Plugin for JetBrains) and CVE-2025-54100 (PowerShell RCE on Windows Server 2008 and later).
• Three vulnerabilities received Microsoft’s “critical” rating: CVE-2025-62554 and CVE-2025-62557 (Microsoft Office via Preview Pane) and CVE-2025-62562 (Microsoft Outlook).
• Microsoft identified several privilege‑escalation bugs as more likely to be exploited: CVE-2025-62458, CVE-2025-62470, CVE-2025-62472, CVE-2025-59516 and CVE-2025-59517.
• Security researchers noted the Copilot Plugin flaw could let attackers coerce an LLM into running commands that bypass auto‑approve behavior.
• Security firm Tenable’s Satnam Narang observed Microsoft patched 1,129 vulnerabilities in 2025 — an 11.9% increase from 2024.
• Researcher Ari Marzuk has labeled a broader set of AI coding platform vulnerabilities “IDEsaster,” covering over 30 issues across multiple tools.

What to watch next

• Whether exploitation of CVE-2025-62221 continues or expands now that a patch is out.
• Potential weaponization of the listed privilege escalation bugs (CVE-2025-62458, 62470, 62472, 59516, 59517) — not confirmed in the source.
• Further disclosures or patches addressing the wider IDEsaster set of vulnerabilities across AI coding platforms such as Cursor, Windsurf, Gemini CLI and Claude Code — not confirmed in the source.

Quick glossary

• Zero‑day: A vulnerability that is actively being exploited before or shortly after the vendor releases a patch.
• Privilege escalation: A class of vulnerability that lets an attacker gain higher‑level permissions on a system than originally granted.
• Remote code execution (RCE): A vulnerability that allows an attacker to execute arbitrary code on a target system from a remote location.
• Mini filter driver: A type of file system driver in Windows used to monitor or modify file I/O operations, often used by cloud sync clients and antivirus tools.
• CVE: Common Vulnerabilities and Exposures — a standard identifier for publicly known cybersecurity vulnerabilities.

Reader FAQ

Is the zero‑day already being exploited?
Yes — the zero‑day CVE-2025-62221 was reported as already being exploited at the time of the update.

Do the Office preview‑pane bugs require user interaction?
According to the advisory, CVE-2025-62554 and CVE-2025-62557 can be exploited by viewing a malicious message in the Preview Pane.

Does the PowerShell vulnerability affect older servers?
CVE-2025-54100 affects Windows PowerShell on Windows Server 2008 and later, per the report.

Are patches available now?
Microsoft issued updates on the December 9 Patch Tuesday, so fixes were released as part of that update batch.

Is GitHub Copilot safe to use after this patch?
Not confirmed in the source.

December 9, 2025 21 Comments Microsoft today pushed updates to fix at least 56 security flaws in its Windows operating systems and supported software. This final Patch Tuesday of 2025…

Sources

• Microsoft Patch Tuesday, December 2025 Edition
• Microsoft Issues Security Fixes for 56 Flaws, Including …
• Microsoft's December 2025 Patch Tuesday Addresses 56 …
• The December 2025 Security Update Review – thezdi

Related posts

• Microsoft study finds Copilot chats embedding into daily user routines
• Apple and Google rush emergency patches as zero-days are actively exploited
• Microsoft December 2025 security update disrupts MSMQ on older Windows systems