Microsoft patched 57 vulnerabilities in its Patch Tuesday December 2025 update, including one exploited zero-day and six high-risk vulnerabilities.
The exploited zero-day is CVE-2025-62221, a 7.8-rated Use After Free vulnerability in Windows Cloud Files Mini Filter Driver that could allow an authorized attacker to elevate privileges locally and gain SYSTEM privileges. CISA promptly added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
Microsoft credited its own Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) for the find.
Microsoft’s Patch Tuesday December 2025 update also issued fixes for 13 non-Microsoft CVEs; all the non-Microsoft CVEs were for Chromium-based Edge vulnerabilities.
Other vendors issuing critical Patch Tuesday updates included Fortinet (CVE-2025-59718 and CVE-2025-59719), Ivanti (CVE-2025-10573) and SAP (CVE-2025-42880, CVE-2025-42928, and Apache Tomcat-related vulnerabilities CVE-2025-55754 and CVE-2025-55752).
High-Risk Vulnerabilities Fixed in Patch Tuesday December 2025 Update
Microsoft rated six vulnerabilities as “Exploitation More Likely.” The six are all rated 7.8 under CVSS 3.1, and three are Heap-based Buffer Overflow vulnerabilities.
The six high-risk vulnerabilities include:
CVE-2025-59516, a 7.8-severity Windows Storage VSP Driver Elevation of Privilege vulnerability. The Missing Authentication for Critical Function flaw in Windows Storage VSP Driver could allow an authorized attacker to elevate privileges locally.
CVE-2025-59517, also a 7.8-rated Windows Storage VSP Driver Elevation of Privilege vulnerability. Improper access control in Windows Storage VSP Driver could allow an authorized attacker to elevate privileges locally.
CVE-2025-62454, a 7.8-rated Windows Cloud Files Mini Filter Driver Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in Windows Cloud Files Mini Filter Driver could allow an authorized attacker to elevate privileges locally.
CVE-2025-62458, a 7.8-severity Win32k Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in Windows Win32K – GRFX could allow an authorized attacker to elevate privileges locally.
CVE-2025-62470, a 7.8-rated Windows Common Log File System Driver Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in the Windows CLFS Driver could allow local privilege elevation by an authorized attacker.
CVE-2025-62472, a 7.8-severity Windows Remote Access Connection Manager Elevation of Privilege vulnerability. The use of uninitialized resource flaw in Windows Remote Access Connection Manager could allow an authorized attacker to elevate privileges locally.
High-Severity Office, Copilot, SharePoint Vulnerabilities also Fixed
The highest-rated vulnerabilities in the December 2025 Patch Tuesday update were rated 8.8, and there were three 8.4-severity vulnerabilities too. All were rated as being at lower risk of exploitation by Microsoft.
The four 8.8-rated vulnerabilities include:
- CVE-2025-62549, a Windows Routing and Remote Access Service (RRAS) Remote Code Execution vulnerability
- CVE-2025-62550, an Azure Monitor Agent Remote Code Execution vulnerability
- CVE-2025-62456, a Windows Resilient File System (ReFS) Remote Code Execution vulnerability
- CVE-2025-64672, a Microsoft SharePoint Server Spoofing vulnerability
The three 8.4-severity vulnerabilities include:
- CVE-2025-64671, a GitHub Copilot for Jetbrains Remote Code Execution vulnerability
- CVE-2025-62557, a Microsoft Office Remote Code Execution/Use After Free vulnerability
- CVE-2025-62554, a Microsoft Office Remote Code Execution/Type Confusion vulnerability