December 2025 Patch Tuesday is supposed to be the quiet cruise into Christmas, right? Instead we got fifty seven vulnerabilities, three zero days and one actively exploited Windows privilege escalation that hits almost every supported build.

Add in one hundred and thirty nine Adobe fixes and an awkward five week gap until the next Patch Tuesday in January and you have a perfect festive storm.

Are you really happy to leave servers and laptops unpatched while everyone is on holiday, or do you want to start 2026 without starring in a breach headline? What does your patch plan look like this week?

Four zero-days. One perfect 10.0 severity score. Hundreds of thousands of sites already compromised.

Criminals are exploiting Exchange Servers, Magento shops, and Oracle ERP systems right now - whilst you're reading this. SAP's vulnerability was so bad they deleted the entire component rather than fix it. WordPress sites are falling to a plugin bug that shouldn't exist. And that's just November.

Your patching strategy just became a lot more urgent.

Graham Falkner breaks down what to patch first:

September’s Microsoft Patch Tuesday isn't just another routine update cycle. With 81 vulnerabilities patched including 9 critical flaws, and active exploitation campaigns already targeting SharePoint servers, this represents significant business risk. Cyber Essentials certified organisations have until September 23rd to deploy updates, but waiting 14 days significantly increases risk exposure. The psychological tendency to defer technical updates creates dangerous security gaps. From authentication bypass vulnerabilities to network storage compromise, these aren't theoretical risks: they're operational realities affecting business continuity, regulatory compliance, and cyber insurance validity. Strategic deployment planning starts now.

Microsoft’s April 2025 Windows 11 update (KB5036893) has pulled a fast one, quietly creating a C:\inetpub folder on machines that have never had IIS installed. No changelog entry.

No heads-up. Just a mysterious web server directory suddenly appearing across the fleet. Whether you’re managing personal laptops or enterprise desktops, this isn’t just clutter—it’s a potential security red flag.

IT pros are furious, forums are lighting up, and Microsoft? Silent. Again. If you thought updates couldn’t get worse, think again.

Here’s why this bizarre move should have every sysadmin on high alert and reaching for the patch rollback button.

Just when you thought Microsoft couldn't top their Exchange meltdown, they go full send and accidentally delete their own AI assistant from Windows 11. No warning, no prompt—just poof. Gone. It's as if someone at Redmond duct-taped down the ‘F**k Around and Find Out’ button and walked away.

What’s next? Windows Update deciding Task Manager is ‘problematic’? Edge forcibly replacing all your passwords with ‘BingLovesYou123’? Buckle up—because this one’s a mess. Read on and prepare to rage.