Microsoft Patch Tuesday December 2025

Microsoft has rolled out its final Patch Tuesday updates of 2025, delivering fixes for 57 vulnerabilities across its ecosystem. Among these are three zero-day issues, one actively exploited in the wild and two publicly disclosed, alongside a trio of Critical-rated remote code execution risks.

Here’s how the numbers break down across vulnerability categories:

1. 28 Elevation of Privilege

2. 19 Remote Code Execution

3. 4 Information Disclosure

4. 3 Denial of Service

5. 2 Spoofing

These figures reflect only the patches released by Microsoft today. They do not include previously issued updates for Microsoft Edge or other products addressed earlier this month.

Actively Exploited and Publicly Disclosed Zero-Days

This month’s release focuses heavily on three zero-day vulnerabilities, one already being abused by attackers and two that were publicly disclosed before a fix was available.

1. Windows Cloud Files Mini Filter Driver

Elevation of Privilege Vulnerability (Actively Exploited)

Microsoft has resolved a flaw in the Windows Cloud Files Mini Filter Driver that allowed authorised users to escalate their privileges to SYSTEM level. According to Microsoft, the issue stemmed from a “use-after-free” condition and could be exploited locally. Details on the real-world exploitation remain limited, but Microsoft’s internal security teams were credited with identifying the activity.

2. GitHub Copilot for JetBrains

Remote Code Execution Vulnerability (Publicly Disclosed)

A command injection vulnerability affecting GitHub Copilot for JetBrains IDEs has now been patched. The flaw meant that malicious prompts embedded in untrusted files or servers could cause unintended commands to execute locally, particularly when terminal auto-approve settings were enabled. The issue came to light as part of wider research into vulnerabilities within AI-powered developer tools.

3. PowerShell

Remote Code Execution Vulnerability (Publicly Disclosed)

A PowerShell bug allowed scripts hidden within a webpage to run automatically when fetched using Invoke-WebRequest. Microsoft has introduced a safeguard that now displays a warning and encourages users to include the -UseBasicParsing flag to prevent this behaviour.

Users will now see a message similar to:

Security Warning: Script Execution Risk
Invoke-WebRequest parses the content of the web page. Script code in the web page might be run when the page is parsed.
Recommended action: Use the -UseBasicParsing switch to avoid script execution.
Do you want to continue?

Microsoft has credited multiple researchers for highlighting this issue.

Updates from Other Technology Vendors

It is not just Microsoft issuing fixes this month. Several other major vendors have also released important security advisories:

Adobe has published updates across ColdFusion, Experience Manager, DNG SDK, Acrobat Reader, and Creative Cloud Desktop.

Fortinet patched multiple vulnerabilities, including a serious authentication bypass in FortiCloud SSO.

Google released the December Android security bulletin, addressing two vulnerabilities currently under active exploitation.

Ivanti shipped updates for its platform, including a high-severity stored XSS flaw affecting Endpoint Manager.

React resolved a critical RCE issue in React Server Components, now being actively leveraged in attacks.

SAP delivered updates across a range of products, including a critical code injection flaw in SAP Solution Manager.

Microsoft has published the complete catalogue of resolved December vulnerabilities on its official portal.
You can review the full breakdown, along with affected products and technical detail, in the complete report.