December 2025 Patch Tuesday updates from Microsoft

Threat summary

On December 9, Microsoft released Patch Tuesday security updates addressing 57 vulnerabilities across Windows, Office, Exchange Server, and other components. One of the flaws is confirmed to be actively exploited, while two others were publicly disclosed prior to patch availability.

The actively exploited flaw, CVE-2025-62221, is a use-after-free vulnerability in the Windows Cloud Files Mini Filter Driver (cldflt.sys), a kernel-level component that synchronizes local files with cloud storage services such as OneDrive.

Exploitation enables privilege escalation to system-level access and, when combined with a code execution bug, could allow for full system compromise. This vulnerability carries a CVSSv3 score of 7.8.

One of the flaws publicly disclosed before Microsoft issued a patch is CVE-2025-54100, a Windows PowerShell vulnerability. It was also rated with a CVSSv3 score of 7.8, and could enable command injection and arbitrary code execution.

The CVSS metric lists the attack vector as local (AV:L), meaning exploitation requires access to the system. In practice, exploitation requires user interaction, such as a victim being tricked into downloading and opening a malicious file.

The other publicly known flaw, CVE-2025-64671, is a command injection vulnerability in GitHub Copilot for JetBrains integrated development environments (IDEs). It can bypass terminal auto-approve safeguards by embedding malicious commands into trusted contexts processed by Copilot.

Because auto-approve settings permit certain commands to run without confirmation, injected payloads execute silently. This creates a scenario where a developer could be socially engineered into opening a project file containing hidden instructions, resulting in unauthorized code execution that compromises developer workstations or CI/CD pipelines. This is a high-severity flaw, with a CVSSv3 score of 8.4.

Notably, two remote code execution vulnerabilities in Microsoft Office, tracked as CVE-2025-62554 and CVE-2025-62557, were rated Critical with CVSSv3 scores of 8.4. Exploitation can occur through social engineering, where a malicious Office document is delivered to a victim and executed to grant the threat actor code execution privileges. The Preview Pane is listed as an attack vector, meaning a victim does not need to open the file for exploitation to occur.

Microsoft notes that patches for Office LTSC 2021 and Office LTSC 2024 for Mac were not available at the time of the December 2025 advisories and will be released once ready.

Insights & mitigations

Organizations should apply the December 2025 patches across Windows, Office, and Exchange environments as soon as possible, prioritizing CVE-2025-62221 due to its active exploitation.

Monitor for suspicious PowerShell activity and restrict the use of Invoke-WebRequest where possible to mitigate the risk of CVE-2025-54100.

For CVE-2025-64671, disable auto-approve features in developer environments, enforce strict separation between trusted and untrusted inputs, and monitor for unusual command execution. We also recommend reviewing endpoint detection and response logs for privilege escalation attempts, applying least privilege principles, and conducting awareness training to reduce risks from social engineering.

In addition to applying security updates, mitigations for CVE-2025-62554 and CVE-2025-62557 include monitoring email gateways and endpoint detection systems for malicious Office attachments exploiting the Preview Pane, disabling or restricting Preview Pane functionality where operationally feasible, and reinforcing user awareness training to reduce social engineering risks.

For organizations using Microsoft Office LTSC for Mac 2021 and 2024 where patches are not yet available, compensating controls such as limiting external document handling, isolating high‑risk workloads, and closely monitoring for abnormal Office behavior are recommended until updates are released.

Field Effect MDR monitors for vulnerabilities such as these 24/7. By correlating network traffic, endpoint behavior, and indicators of compromise, Field Effect MDR detects and blocks exploit attempts, flagging anomalies such as malformed requests, suspicious outbound connections, or unauthorized privilege changes.

Field Effect MDR clients will receive an ARO alert identifying any instances vulnerable to the noted flaws, with remediation guidance.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up