Three Zero Days And A Christmas Timebomb: December Patch Tuesday Will Hurt If You Ignore It

Microsoft's final Patch Tuesday of 2025 addresses 57 vulnerabilities, including three zero-day flaws. One is confirmed as actively exploited. With the next security update not arriving until 13 January 2026, businesses face a five-week exposure window over the holiday period when IT teams operate at reduced capacity.

This analysis covers the critical vulnerabilities requiring immediate attention and provides deployment priorities for small and mid-sized businesses.

Understanding the December Timeline

Patch Tuesday typically follows a four-week cycle. December 2025 creates a five-week gap due to calendar positioning. The next update arrives on 13 January 2026.

Microsoft confirmed there will be no optional preview updates in December as engineering teams take holiday leave. This means accumulated fixes from the extended period will appear in January's release, potentially creating a larger-than-normal update cycle.

For businesses, this timeline makes December patching more critical than usual. Any unpatched vulnerability discovered or exploited during this period cannot be officially addressed until mid-January.

CVE-2025-62221: The Actively Exploited Priority

The most critical vulnerability in December's release is CVE-2025-62221, affecting the Windows Cloud Files Mini Filter Driver. Microsoft confirmed active exploitation in the wild.

Technical details:

• CVSS score: 7.8 (High)

• Vulnerability type: Use-after-free leading to elevation of privilege

• Attack complexity: Low

• Privileges required: Low

• User interaction: None required

Affected systems:

• Windows 10 (version 1809 and later)

• Windows 11 (all versions)

• Windows Server 2019, 2022, and 2025

The vulnerability allows an authenticated user with low-level privileges to trigger a memory corruption condition in the Cloud Files driver. This component manages OneDrive and other cloud storage integration at the kernel level. Successful exploitation grants SYSTEM-level access, representing complete control over the affected device.

Microsoft's Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) teams discovered the vulnerability but have not disclosed exploitation details. Security vendors including Check Point have released detection signatures, confirming functional exploit code exists.

CISA added CVE-2025-62221 to the Known Exploited Vulnerabilities catalogue with a remediation deadline of 30 December 2025 for federal agencies. This designation indicates confirmed real-world attacks.

The Cloud Files driver operates in kernel mode, meaning any successful exploit instantly elevates to kernel privileges. Attackers can use this to bypass security controls, defeat exploit mitigations, and establish persistence. Security teams should treat any local access to unpatched systems as potential full compromise.

Deployment priority: Emergency. Patch immediately.

Two Publicly Disclosed Zero-Days

December's release includes two additional zero-day vulnerabilities. Neither is confirmed as exploited, but both were publicly disclosed before patches became available.

CVE-2025-64671: GitHub Copilot Command Injection

Vulnerability details:

• Affected product: GitHub Copilot for JetBrains IDEs

• CVSS score: 8.4 (High)

• Type: Command injection

• Exploitation assessment: Less Likely

Security researcher Ari Marzuk reported this vulnerability as part of the "IDEsaster" research into AI-powered development environment security. The flaw allows malicious cross-prompt injection through untrusted files or Model Context Protocol (MCP) servers.

When terminal auto-approve settings are enabled, attackers can append unauthorised commands to existing approved commands. This turns the AI coding assistant into a potential remote code execution vector. Proof-of-concept code exists.

Businesses using GitHub Copilot with JetBrains development tools should update immediately and review terminal approval configurations.

CVE-2025-54100: PowerShell Web Content Execution

Vulnerability details:

• Affected product: Windows PowerShell

• CVSS score: 7.8 (High)

• Type: Command injection

• Exploitation assessment: Less Likely

This vulnerability affects the Invoke-WebRequest cmdlet. After patching, PowerShell displays a confirmation prompt warning users about script execution risks when retrieving web content. Microsoft published KB5074596 detailing how PowerShell 5.1 now prevents automatic script execution from web sources.

Exploitation requires social engineering. Attackers must convince users to download and execute malicious files or run crafted PowerShell commands. While user interaction is required, phishing campaigns regularly achieve this.

Businesses using PowerShell automation should apply updates and test scripts for compatibility with the new security behaviour.

Critical Office Remote Code Execution

Two Microsoft Office vulnerabilities received Critical severity ratings despite CVSS scores of 8.4 (technically High severity). Microsoft assigns Critical ratings when exploitation scenarios present particular concern.

CVE-2025-62554 and CVE-2025-62557:

• Type: Type confusion and use-after-free

• Impact: Remote code execution

• Attack vector: Malicious Office documents

The significant risk factor is that the Preview Pane constitutes an attack vector. Users do not need to open documents fully. Simply selecting a malicious attachment in Outlook's preview window can trigger exploitation in worst-case scenarios.

The Zero Day Initiative confirmed that viewing email with these attachments could execute code without any clicking required.

Mitigation options:

1. Apply Office security updates across all devices (recommended)

2. Disable Preview Pane in Outlook as temporary control if immediate patching is not possible

Finance and legal teams that process high volumes of email attachments face elevated risk from these vulnerabilities.

The Full Microsoft December Release

Microsoft addressed 57 unique CVEs in December 2025, down from 63 in November. Including Edge updates released earlier in the month, the total reaches 72 vulnerabilities.

Breakdown by severity:

• 3 Critical (remote code execution)

• 28 Important (elevation of privilege)

• Remaining: Information disclosure, denial of service, spoofing

2025 annual statistics: Microsoft patched 1,139 vulnerabilities across 2025, making it one of the busiest years on record. This averages 95 vulnerabilities per month. October 2025 saw the largest single release with 172 fixes including six zero-days.

Recurring patterns:

• Elevation of privilege vulnerabilities dominate

• Office products remain a consistent attack surface

• Windows kernel components (particularly Win32k) appear frequently

• Cloud storage and file system drivers show repeated vulnerabilities

The emergence of AI-integrated development tools has created new attack surfaces, as demonstrated by the GitHub Copilot vulnerability. As automation and AI assistance expand, command injection through prompt manipulation represents a growing risk category.

Adobe's 139 Vulnerability Release

Adobe released five security bulletins addressing 139 unique CVEs across multiple products:

• Adobe Reader

• Adobe ColdFusion

• Adobe Experience Manager

• Adobe Creative Cloud Desktop

• Adobe DNG Software Development Kit

Notable fixes:

Adobe Experience Manager: 117 vulnerabilities, with 116 classified as cross-site scripting (XSS). Two received Critical severity ratings (CVE-2025-64537 and CVE-2025-64539, CVSS 9.3) for DOM-based XSS.

Adobe ColdFusion: 12 vulnerabilities, several rated Critical for arbitrary code execution. Adobe assigned Priority 1 deployment status. Affected versions include ColdFusion 2025 (update 5), 2023 (update 7), and 2021 (update 23).

ColdFusion has significant historical precedent in breach reports, particularly for internet-facing servers. The Zero Day Initiative emphasised that code execution scenarios warrant immediate attention.

Adobe Reader: 4 CVEs with 2 leading to code execution DNG SDK: 4 CVEs with 1 code execution vulnerability
Creative Cloud Desktop: 1 Important-rated vulnerability

Adobe reports no evidence of active exploitation for any December vulnerabilities. Priority 1 classification for ColdFusion and Experience Manager updates indicates Adobe's concern about exploitation potential.

Other Vendor Security Updates

Google Android: December security bulletin addresses over 100 issues including two actively exploited vulnerabilities. Businesses using Android devices in corporate environments should verify update deployment.

Ivanti: December updates include a 9.6 CVSS stored cross-site scripting vulnerability in Ivanti Endpoint Manager.

Fortinet: Patches address multiple products including a Critical authentication bypass in FortiCloud SSO. Authentication bypass vulnerabilities allow unauthorised access without credentials.

React Server Components: Fixes address a Critical remote code execution flaw designated React2Shell. Multiple sources report widespread exploitation already occurring.

SAP: December security notes include:

• 9.9 CVSS code injection vulnerability in SAP Solution Manager

• 9.6 CVSS vulnerability in SAP Commerce Cloud

SAP environments require immediate review of December security notes.

Deployment Priority for Small Businesses

Recommended deployment order for businesses with limited IT resources:

Priority 1 - Emergency: Deploy December Windows security updates to all Windows 10, Windows 11, and Windows Server systems. CVE-2025-62221 affects every supported version. CISA's 30 December deadline provides guidance on urgency.

Windows 10 systems require enrolment in Extended Security Updates (ESU) programme to receive patches. Unenrolled systems remain exposed.

Priority 2 - Critical: Apply Microsoft Office updates across all devices. Preview Pane exploitation makes email itself an attack vector.

Priority 3 - High:

• Update GitHub Copilot for JetBrains if deployed

• Review and restrict terminal auto-approve settings

• Apply PowerShell updates

• Test automation scripts for compatibility with new Invoke-WebRequest behaviour

Priority 4 - Important:

• Update Adobe products, particularly ColdFusion and internet-facing Experience Manager installations

• Apply vendor updates for Ivanti, Fortinet, SAP, and React applications if used

Priority 5 - General Security Hygiene:

• Audit local administrator rights on Windows systems

• Fewer users with elevated privileges reduces impact of future privilege escalation vulnerabilities

• Configure endpoint protection and EDR solutions to detect privilege escalation attempts

• Monitor for anomalous driver activity and kernel-level events

Testing and Deployment Considerations

Test updates in non-production environments where possible. The five-week gap until January's patches means exploitation attempts have extended time to succeed on unpatched systems.

PowerShell behaviour changes may affect existing automation. Allocate time for script testing and adjustment.

Businesses planning Windows deployments or migrations during the holiday period must factor December updates into build processes. New systems require security patches before production deployment.

Verify backup systems are current and test restore procedures. Ensure monitoring and alerting systems function correctly. The extended period until January's patches means any compromise has more time to propagate before the next security update cycle.

Five-Week Exposure Window

The gap between December and January Patch Tuesday releases creates specific risks:

Extended exploitation opportunity: Attackers have additional time to reverse-engineer patches and develop exploits for newly disclosed vulnerabilities.

Scanning for unpatched systems: Criminal groups systematically scan for systems lacking security updates. A five-week window provides extended opportunity for discovery and exploitation.

Reduced IT coverage: Holiday periods typically operate with skeleton technical staff. Response capability decreases while exploitation opportunity increases.

CVE-2025-62221's confirmed active exploitation makes this timing particularly concerning. Any unpatched Windows system entering the five-week gap carries elevated compromise risk.

Summary and Next Steps

December 2025 Patch Tuesday addresses 57 Microsoft vulnerabilities including three zero-days. One Windows privilege escalation vulnerability (CVE-2025-62221) is confirmed as actively exploited. The five-week gap until the next Patch Tuesday on 13 January 2026 extends potential exposure during the holiday period.

Critical actions:

1. Deploy Windows updates immediately for CVE-2025-62221

2. Apply Microsoft Office patches to address Preview Pane exploitation risks

3. Update GitHub Copilot and PowerShell if deployed

4. Apply Adobe updates, particularly ColdFusion Priority 1 fixes

5. Review and restrict local administrator privileges

CISA's Known Exploited Vulnerabilities catalogue inclusion provides clear guidance on urgency. The 30 December deadline reflects the serious nature of the actively exploited Windows vulnerability.

Businesses entering the holiday period with unpatched systems face unnecessary and elevated risk. Schedule deployments now while technical staff remain available for testing and troubleshooting.