Microsoft has released its final security update of 2025, delivering patches for 56 security flaws across the Windows ecosystem. This latest Patch Tuesday also includes a high-risk vulnerability currently being exploited in the wild, making it an important update for all Windows users and enterprise administrators.
Out of the 56 vulnerabilities fixed, three are rated Critical and 53 are marked Important. Microsoft also confirmed that two vulnerabilities were publicly known before this update. The breakdown of the flaws includes 29 privilege escalation bugs, 18 remote code execution (RCE) issues, four information disclosure problems, three denial-of-service flaws, and two spoofing vulnerabilities.
With this release, Microsoft has now addressed 1,275 CVEs in 2025, continuing its trend of fixing more than 1,000 security flaws per year. According to security researchers at Fortra and Tenable, this is the second consecutive year and the third time overall that Microsoft has crossed the 1,000-CVE mark in a single year.
The December update also includes fixes for 17 security issues in Microsoft Edge, including a spoofing issue affecting Edge for iOS (CVE-2025-62223).
The highlight—and biggest concern—of this update is CVE-2025-62221, a use-after-free vulnerability in the Windows Cloud Files Mini Filter Driver. This flaw has a CVSS score of 7.8 and is confirmed to be under active exploitation.
This vulnerability allows attackers who already have basic access to a system to escalate privileges to SYSTEM level, giving them full control of the device.
File system minifilters are widely used by services like OneDrive, Google Drive, and iCloud, though the component exists even if those apps aren’t installed. Because the driver is built into Windows, the attack surface affects all supported Windows versions.
While Microsoft has not revealed how attackers are exploiting this flaw, experts warn that threat actors typically gain low-privileged access through:
-
Phishing emails
-
Browser exploits
-
Chaining another RCE vulnerability
-
Malware dropper attacks
Once they have initial access, they can use CVE-2025-62221 to elevate privileges and potentially install kernel-level components, deploy malicious drivers, and maintain long-term persistence. This makes the flaw especially dangerous for enterprise environments.
Due to the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patch by December 30, 2025.
In addition to the actively exploited flaw, Microsoft also patched two zero-day vulnerabilities that were publicly known before the update.
1. CVE-2025-54100 – PowerShell Command Injection (CVSS 7.8)
This flaw allows attackers to run malicious code on a system if they can convince a user to execute a specially crafted PowerShell command—especially commands using Invoke-WebRequest.
Security researchers warn that attackers can easily exploit this vulnerability through social engineering, making it a high-risk issue for administrators and developers who often work with PowerShell scripts.
2. CVE-2025-64671 – GitHub Copilot for JetBrains Command Injection (CVSS 8.4)
This vulnerability affects the GitHub Copilot plugin for JetBrains IDEs and allows attackers to execute arbitrary code on the local machine. It is linked to a broader category of AI-related IDE vulnerabilities known as IDEsaster, recently highlighted by researchers.
These flaws occur when AI agents inside IDEs are manipulated using prompt injection attacks, causing them to unintentionally run unsafe commands or reveal sensitive information.
Security researcher Ari Marzouk, who reported the flaw, explained that multiple AI-powered IDEs—including Cursor, Kiro.dev, JetBrains Junie, Gemini CLI, Windsurf, and Roo Code—were found vulnerable to similar issues.
The rise of AI-enhanced IDEs has created new security concerns. These tools often blend AI agents with underlying system tools that can execute commands. Attackers exploit this connection using techniques such as:
Cross-prompt injection (manipulating prompts indirectly through files or external servers)
Bypassing allow-lists for command execution
Tricking AI agents into approving dangerous instructions
Microsoft rated the Visual Studio Code version of this vulnerability as Medium severity, but researchers warn that AI-driven development tools will remain a growing attack surface.
Microsoft is not alone. Over the past few weeks, many major technology companies have issued security updates to fix hundreds of vulnerabilities across hardware, software, cloud services, networking equipment, and mobile devices.
Affected vendors include:
Adobe, AWS, AMD, Arm, ASUS, Atlassian, Bosch, Broadcom, VMware, Canon, Cisco, Citrix, Dell, Drupal, F5, Fortinet, Fortra, GitLab, Google Android, Chrome, Pixel, HP, IBM, Intel, Ivanti, Lenovo, Linux distributions, MediaTek, Mitsubishi Electric, MongoDB, Mozilla, NVIDIA, OPPO, Qualcomm, Samsung, SAP, Schneider Electric, Siemens, SolarWinds, Splunk, Synology, TP-Link, WatchGuard, Zoom, Zyxel, and many more.
With one actively exploited vulnerability and two other zero-days, this month’s Patch Tuesday is critical for:
Windows users
System administrators
Enterprise security teams
Developers using PowerShell and JetBrains IDEs
Organizations relying on Microsoft cloud and productivity tools
Applying patches as soon as possible is the best way to reduce risk and stay ahead of emerging threats.
Interesting Article : CVE-2025-6389, Sneeit RCE Exploited as Frost Botnet Uses CVE-2025-2611
Pingback: Gogs Zero-Day Exploited: 700+ Servers Hacked Worldwide