Analysis of Microsoft Patch Tuesday updates - December 2025

Executive Summary

On Tuesday, 09 December 2025, Microsoft released its monthly security patch addressing 57 vulnerabilities in its products.

By severity:

• Remote Code Execution - 19;
• Elevation of Privilege - 28;
• Spoofing - 3;
• Denial of Service - 3;
• Information Disclosure - 4.

Exploited (Zero-Days) and Publicly Disclosed Vulnerabilities

Special attention should be paid to the following 3 vulnerabilities. Fixing them is the highest priority:

• CVE-2025-54100 (CVSS 7.8; Remote Code Execution) - PowerShell Remote Code Execution Vulnerability (Remote Code Execution). A command-injection vulnerability in Windows PowerShell that allows arbitrary code execution on the target system. The issue lies in the web-content parsing mechanism used by the Invoke-WebRequest cmdlet (which by default uses the Internet Explorer engine), which may unintentionally execute malicious scripts embedded in a downloaded web page. User interaction is required for a successful attack.
• CVE-2025-62221 (CVSS 7.8; Elevation of Privilege) - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability (Elevation of Privilege). A Use-After-Free vulnerability in the Windows Cloud Files Mini Filter driver. Successful exploitation allows a local authenticated attacker to elevate privileges to SYSTEM.
• CVE-2025-64671 (CVSS 8.4; Remote Code Execution) - GitHub Copilot for Jetbrains Remote Code Execution Vulnerability (Remote Code Execution). A vulnerability that allows arbitrary code execution on the victim's local machine. The issue is classified as Command Injection and is exploited via the "Cross Prompt Injection" technique. An attacker can use untrusted files or MCP servers to add malicious instructions to commands that are allowed in the user's terminal auto-approval settings.

General overview and trends

December 2025 Patch Tuesday closes out the year with a mid-sized release: Microsoft fixed 57 vulnerabilities. By number of fixes, this month is comparable to November (63); however, the threat level remains high due to an actively exploited vulnerability and public disclosures. Key trends this month:

• The central event is the presence of three high-impact issues. A vulnerability in the Windows Cloud Files Mini Filter driver (CVE-2025-62221) is already being exploited in the wild for privilege escalation. In addition, exploitation details for the PowerShell and GitHub Copilot RCE vulnerabilities have been publicly disclosed, making them attractive targets for attackers in the coming days.
• A significant portion of the updates (more than 10 CVEs) addresses remote code execution (RCE) vulnerabilities in Microsoft Office products—Word, Excel, Outlook, and Access. This indicates a high risk of attacks via malicious documents and phishing campaigns targeting end users.
• System drivers and file systems: The trend of hardening the kernel and drivers continues. Privilege escalation vulnerabilities were fixed in ReFS, Projected File System, Storage VSP, and Cloud Files Mini Filter. Because these components operate at a low level, flaws in them are often used to fully take over a system after an initial compromise.
• Developer tools and AI security: Following previous months, Microsoft again fixes vulnerabilities in developer tooling. The RCE in GitHub Copilot for JetBrains (CVE-2025-64671) highlights a new attack vector through development environments (IDEs) and AI extensions that have access to sensitive code and internal networks.

Full List of Vulnerabilities

Below is a table with all vulnerabilities fixed this month.

Retrospective vulnerability analysis

• CVE-2025-54914 — Azure Networking Elevation of Privilege Vulnerability (Elevation of Privilege). A vulnerability in Azure's networking infrastructure that allows creating malicious routes in virtual networks, potentially leading to traffic interception and bypass of security controls. A publicly available exploit exists for this vulnerability Azure Route Exploit with extended functionality for automation and stealth. Microsoft fixed the issue on the cloud infrastructure side in September 2025.
• CVE-2025-55241 — Azure Entra ID Elevation of Privilege Vulnerability (Elevation of Privilege). A critical vulnerability that could have compromised virtually any Entra ID tenant worldwide. The issue stemmed from a validation flaw in the legacy Azure AD Graph API: it did not verify that the tenant issuing the special "Actor token" (an inter-service communication token) matched the tenant being queried. This allowed an attacker, using a token from their own tenant, to act on behalf of any user—including Global Admin—in any other tenant, bypassing all security policies, including Conditional Access. Details were disclosed in a researcher's article titled "One Token to rule them all". Microsoft fixed the issue on its side in September 2025.
• CVE-2025-59501 — Microsoft Configuration Manager Spoofing Vulnerability (Spoofing). An authentication bypass vulnerability that occurs when integrated with Microsoft Entra ID. An attacker can change the User Principal Name (UPN) of a cloud account to impersonate an Active Directory user that is not synchronized to the cloud. Successful exploitation allows unauthorized access to the API AdminService and elevate privileges to Full Administrator in the SCCM hierarchy. A PoC is available on GitHub PoC, which automates token acquisition and server takeover. The vulnerability was fixed in October 2025.
• CVE-2025-60710 — Host Process for Windows Tasks Elevation of Privilege Vulnerability (Elevation of Privilege). A privilege escalation vulnerability affecting the Windows AI Recall component (the “Recall” feature). The issue is a logic flaw (Link Following) during directory cleanup by the Task Scheduler (taskhostw.exe). The published PoC demonstrates the use of an undocumented WNF (Windows Notification Facility) mechanism to force a task to run and exploit a race condition using OpLock. This allows an attacker to redirect the deletion operation to an arbitrary system file and gain SYSTEM privileges. The vulnerability was fixed in November 2025.
• CVE-2025-60719 — Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability (Elevation of Privilege). A vulnerability in the driver afd.sys, responsible for the Winsock API, that allows a local attacker to elevate privileges to SYSTEM. The issue is a classic race condition leading to Use-After-Free when one thread requests socket information (for example, via AfdGetInformation), while another thread closes it at the same time. Akamai researchers published a detailed technical analysis detailing the exploitation logic. The vulnerability was fixed in November 2025.

Conclusion

The December security update requires heightened vigilance from IT administrators despite the moderate overall number of patches. The presence of an actively exploited vulnerability and issues in widely used tools (PowerShell, Office) creates serious risks. Priority should be given to immediately installing updates for the following vulnerabilities:

• Actively exploited CVE-2025-62221 (Windows Cloud Files Mini Filter, EoP) to deny attackers a privilege-escalation path.
• Publicly disclosed CVE-2025-54100 (PowerShell, RCE) and CVE-2025-64671 (GitHub Copilot, RCE), since information on how to exploit them is already publicly available. The second wave of updates should cover user workstations with the installed Microsoft Office, to minimize the risks associated with opening malicious files. Also, do not forget about servers running RRAS, which remain a consistent target for RCE attacks. It is strongly recommended to review the section "Retrospective vulnerability analysis". The emergence of public exploits and detailed write-ups for critical vulnerabilities in Azure, SCCM and Windows Recall, patched in the fall, makes updating infrastructure a mandatory requirement to protect against attacks that leverage already known vectors.