Total vulnerabilities fixed:
Microsoft’s December 2025 Patch Tuesday addresses 57 security flaws. Among these, 3 vulnerabilities are rated Critical (all remote code execution issues), with the remainder classified as Important (none are labeled as Moderate or Low this month). Note that Microsoft Edge updates (15 vulnerabilities) are not included here, as Edge was updated earlier in the month. This release also includes 3 “zero-day” flaws (vulnerabilities either exploited or publicly disclosed prior to a patch): 1 actively exploited vulnerability and 2 publicly disclosed ones.
Types of vulnerabilities:
The flaws cover various categories, notably 28 Elevation of Privilege vulnerabilities, 19 Remote Code Execution vulnerabilities, 4 Information Disclosure issues, 3 Denial of Service bugs, and 2 Spoofing vulnerabilities. No Security Feature Bypass or Tampering vulnerabilities were reported. The dominance of privilege escalation bugs continues, indicating attackers’ focus on exploiting Windows kernel components and drivers to gain higher-level access.
Affected product families: This Patch Tuesday spans a broad range of Microsoft products. Windows operating systems (Windows 10/11 clients and Server editions up through 2025) receive many fixes, particularly in core system components like Windows kernel drivers, network services (e.g. RRAS, MSMQ), and features such as Hyper-V. The Microsoft Office suite is heavily affected as well, with patches for Excel, Word, Outlook, Access, and Office core components. Critical server applications like Microsoft Exchange Server (2016/2019 and Subscription Edition) and SharePoint Server are patched to fix privilege escalation and spoofing flaws, respectively. Additionally, cloud and development-related components are addressed: Azure Monitor Agent (monitoring agent) has a remote code execution fix, the PowerShell 5.1 command-line gets a patch for a command injection flaw, and even the GitHub Copilot plugin for JetBrains IDEs receives a fix for an RCE. Finally, Microsoft’s advisories note the inclusion of fixes for vulnerabilities in Azure Linux (Azure Linux 3.0 kernel), incorporating several Linux kernel CVEs – important for Azure VM instances using that OS, though these kernel issues were not counted among the 57 main Microsoft vulnerabilities.
The following table provides a detailed breakdown of the December 2025 Patch Tuesday vulnerabilities by affected product or component. For each CVE, it lists a title/short description, the CVSS v3.1 base score (0–10), Microsoft’s severity rating (Critical/Important), key CVSS metrics – Attack Vector, Attack Complexity, Privileges Required, User Interaction – and whether the issue was known to be exploited or had public exploit code. The vulnerabilities are grouped by product/component for clarity.
Table 1 – December 2025 Patch Tuesday Vulnerabilities by Product (CVSS v3.1)
| Product/Component | CVE ID | Title / Short Description | CVSS | Severity | Attack Vector | Complexity | Privileges | User Interaction | Known Exploited? | Active Exploit / Public Code |
|---|---|---|---|---|---|---|---|---|---|---|
| Windows Cloud Files Mini-Filter Driver | CVE-2025-62221 | Use-after-free in Cloud Files driver allows local privilege escalation to SYSTEM | 7.8 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | None (UI:N) | Yes (Zero-day, actively exploited) | Actively exploited in the wild |
| Windows Routing & Remote Access (RRAS) | CVE-2025-62549 | Untrusted pointer dereference in RRAS allows remote code execution (RCE) on the server | 8.8 | Important | Network (AV:N) | Low (AC:L) | None (PR:N) | Required (UI:R) | No | – |
| Windows Resilient File System (ReFS) | CVE-2025-62456 | Heap buffer overflow in ReFS allows an authenticated attacker to execute code over the network | ~8.0 | Important | Network (AV:N) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Windows Message Queuing (MSMQ) | CVE-2025-62455 | Privilege escalation in MSMQ service – flaw allows local user to gain higher privileges | ~7.8 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Windows Common Log File System | CVE-2025-62470 | Heap-based buffer overflow in CLFS driver allows local privilege escalation | ~7.8 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Windows Win32k (Graphics) | CVE-2025-62458 | Heap buffer overflow in Win32k-GRFX (graphics kernel) allows local privilege escalation | ~7.8 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Windows Client-Side Caching (CSC) | CVE-2025-62466 | Null pointer dereference in CSC service (Offline Files) allows local privilege escalation | ~7.0 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Windows Brokering File System | CVE-2025-62469 | Race condition in Broker FS allows local privilege escalation | ~7.5 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Windows Remote Access Connection Manager | CVE-2025-62472 | Use of uninitialized resource in RASman allows local privilege escalation | ~7.0 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Windows Routing & Remote Access (RRAS) | CVE-2025-62473 | Buffer over-read in RRAS allows information disclosure over the network | ~5.0 | Important | Network (AV:N) | Low (AC:L) | None (PR:N) | None (UI:N) | No | – |
| Windows Hyper-V | CVE-2025-62567 | Denial of service vulnerability in Hyper-V (remote attacker can cause VM/host crash) | ~7.5 | Important | Network (AV:N) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Windows Installer | CVE-2025-62571 | Privilege escalation in Windows Installer (local user can gain higher privileges) | ~7.0 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | Required (UI:R) | No | – |
| Windows Defender Firewall Service | CVE-2025-62468 | Information disclosure in Windows Defender Firewall service (memory info leak) | ~5.5 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Windows DirectX (Graphics Kernel) | CVE-2025-62463 | Denial of service in DirectX graphics kernel (crafted input can crash system) | ~5.5 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | Required (UI:R) | No | – |
| Windows DirectX (Graphics Kernel) | CVE-2025-62465 | Another DoS in DirectX graphics kernel (similar to CVE-2025-62463) | ~5.5 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | Required (UI:R) | No | – |
| Windows DirectX (Graphics Kernel) | CVE-2025-62573 | Privilege escalation in DirectX graphics kernel (local user to admin) | ~7.8 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Windows DWM Core Library | CVE-2025-64679 | Privilege escalation in Desktop Window Manager (DWM) core library | ~7.8 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Windows DWM Core Library | CVE-2025-64680 | Second privilege escalation in DWM core library (similar to CVE-2025-64679) | ~7.8 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Windows Projected File System | CVE-2025-55233 | Privilege escalation in Projected File System (ProjFS) driver (via shared folder) | ~7.8 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Windows Projected File System | CVE-2025-62462 | Privilege escalation in Projected File System (ProjFS) (similar to CVE-2025-55233) | ~7.8 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Windows Projected File System | CVE-2025-62464 | Privilege escalation in Projected File System (third variant of ProjFS EoP) | ~7.8 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Storvsp.sys (Storage VSP Driver) | CVE-2025-64673 | Privilege escalation in StorVSP (storage virtual service provider) driver | ~7.8 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Windows Camera Frame Server | CVE-2025-62570 | Information disclosure in Camera Frame Server component (exposes memory content) | ~5.0 | Important | Local (AV:L) | Low (AC:L) | Low (PR:L) | Required (UI:R) | No | – |
| Microsoft Office (core) | CVE-2025-62554 | Type confusion in Microsoft Office allows arbitrary code execution locally | 8.4 | Critical | Local (AV:L) | Low (AC:L) | None (PR:N) | None (UI:N) | No (Publicly disclosed) | Yes (Public exploit code available) |
| Microsoft Office (core) | CVE-2025-62557 | Use-after-free in Microsoft Office allows arbitrary code execution locally | 8.4 | Critical | Local (AV:L) | Low (AC:L) | None (PR:N) | None (UI:N) | No (Publicly disclosed) | Yes (Public exploit code available) |
| Microsoft Outlook | CVE-2025-62562 | Use-after-free in Microsoft Outlook can lead to code execution upon viewing a malicious email | 8.8 (est.) | Critical | Network (AV:N) | Low (AC:L) | None (PR:N) | None (UI:N) | No | – |
| Microsoft Excel | CVE-2025-62560 | RCE in Microsoft Excel (untrusted pointer dereference leads to code execution) | ~7.8 | Important | Local (AV:L) | Low (AC:L) | None (PR:N) | Required (UI:R) | No | – |
| Microsoft Excel | CVE-2025-62561 | RCE in Microsoft Excel (untrusted pointer dereference similar to CVE-2025-62560) | ~7.8 | Important | Local (AV:L) | Low (AC:L) | None (PR:N) | Required (UI:R) | No | – |
| Microsoft Excel | CVE-2025-62563 | RCE in Microsoft Excel (out-of-bounds write enabling arbitrary code execution) | ~7.8 | Important | Local (AV:L) | Low (AC:L) | None (PR:N) | Required (UI:R) | No | – |
| Microsoft Excel | CVE-2025-62564 | RCE in Microsoft Excel (out-of-bounds write, variant similar to CVE-2025-62563) | ~7.8 | Important | Local (AV:L) | Low (AC:L) | None (PR:N) | Required (UI:R) | No | – |
| Microsoft Excel | CVE-2025-62553 | RCE in Microsoft Excel (buffer overflow via crafted Excel file) | ~7.8 | Important | Local (AV:L) | Low (AC:L) | None (PR:N) | Required (UI:R) | No | – |
| Microsoft Excel | CVE-2025-62556 | RCE in Microsoft Excel (buffer overflow similar to other Excel RCEs) | ~7.8 | Important | Local (AV:L) | Low (AC:L) | None (PR:N) | Required (UI:R) | No | – |
| Microsoft Word | CVE-2025-62558 | RCE in Microsoft Word (code execution via malicious .DOCX file) | ~7.8 | Important | Local (AV:L) | Low (AC:L) | None (PR:N) | Required (UI:R) | No | – |
| Microsoft Word | CVE-2025-62559 | RCE in Microsoft Word (variant of Word file exploit) | ~7.8 | Important | Local (AV:L) | Low (AC:L) | None (PR:N) | Required (UI:R) | No | – |
| Microsoft Word | CVE-2025-62555 | RCE in Microsoft Word (another variant of Word file exploit) | ~7.8 | Important | Local (AV:L) | Low (AC:L) | None (PR:N) | Required (UI:R) | No | – |
| Microsoft Access | CVE-2025-62552 | RCE in Microsoft Access (code execution via malicious .ACCDB database file) | ~7.8 | Important | Local (AV:L) | Low (AC:L) | None (PR:N) | Required (UI:R) | No | – |
| GitHub Copilot (JetBrains IDE plugin) | CVE-2025-64671 | Cross-prompt injection in GitHub Copilot for JetBrains allows local command execution | 7.4 (est.) | Important | Local (AV:L) | Low (AC:L) | None (PR:N) | Required (UI:R) | Yes (Publicly disclosed) | Yes (Public exploit code available) |
| Windows PowerShell 5.1 | CVE-2025-54100 | RCE in Windows PowerShell (command injection via Invoke-WebRequest allowing local code execution) | 7.2 (est.) | Important | Local (AV:L) | Low (AC:L) | None (PR:N) | Required (UI:R) | Yes (Publicly disclosed) | Yes (Public exploit code available) |
| Azure Monitor Agent | CVE-2025-62550 | Out-of-bounds write in Azure Monitor Agent allows authenticated attacker to execute code over network | ~8.0 | Important | Network (AV:N) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Microsoft Exchange Server | CVE-2025-64666 | Improper input validation in Exchange 2016/2019 allows post-auth privilege escalation | ~7.8 | Important | Network (AV:N) | Low (AC:L) | Low (PR:L) | None (UI:N) | No | – |
| Microsoft Exchange Server | CVE-2025-64667 | Spoofing vulnerability in Exchange (could allow attacker to impersonate email elements) | ~4.0 | Important | Network (AV:N) | Low (AC:L) | Low (PR:L) | Required (UI:R) | No | – |
| Microsoft SharePoint Server | CVE-2025-64672 | Spoofing vulnerability in SharePoint (could allow impersonation of another user) | ~4.3 | Important | Network (AV:N) | Low (AC:L) | Low (PR:L) | Required (UI:R) | No | – |
(Summary table compiled from Microsoft Security Update Guide data and CVE analyses.)
Notable Vulnerabilities and Key Highlights
Critical RCE flaws (Office)
This month’s three critical vulnerabilities all affect the Office suite. Two of them (CVE-2025-62554 and CVE-2025-62557) are code execution flaws in the core of Microsoft Office, exploited via malicious documents. Technically, one is a type confusion issue and the other a use-after-free – in both cases, opening a specially crafted Office file can lead to arbitrary code execution with the user’s privileges. These flaws have a high CVSS score (~8.4), and Microsoft has rated them Critical because no additional interaction is required beyond opening the file, and no privileges are needed (the unauthenticated attacker simply supplies the malicious file). Fortunately, none of them has been reported as actively exploited so far.
However, they were publicly disclosed before the patch was released, which means their technical details (and even proof-of-concept exploit code) are known to attackers – hence the absolute priority to deploy the corresponding Office patches.
The third critical flaw, CVE-2025-62562, affects Microsoft Outlook and also allows remote code execution. It is a use-after-free scenario in the Outlook rendering engine that can be triggered via malicious email content. This vulnerability, potentially exploitable through the preview of a crafted email, is critical because an attacker could execute code on the target machine as soon as the message is received/viewed, with no privileges required. These three Office/Outlook RCE flaws must be treated as top priority given their attack surface (widely exchanged office documents, emails) and the fact that two of them are already public.
Zero-days and active exploits
In addition to the publicly disclosed flaws above, one zero-day vulnerability is being actively exploited in December 2025: CVE-2025-62221. This is a privilege escalation vulnerability in the Windows Cloud Files Mini Filter driver (used by the OneDrive Files On-Demand feature). This flaw, caused by a use-after-free in memory, allows an attacker already present on a system (with basic rights) to escalate privileges to SYSTEM level, i.e., take full control of the machine.
Microsoft has confirmed that this vulnerability was being exploited in the wild (an exploited zero-day) before the patch was released, which indicates a critical risk level for unpatched systems. According to Microsoft, exploitation requires local access (or access via Remote Desktop) with low privileges – once on the machine, malicious code can leverage this driver flaw to obtain full administrator rights. It is worth noting that Microsoft credits its internal teams (MSTIC and MSRC) for this discovery, without disclosing details of the ongoing campaign.
Two other zero-day flaws are notable even though no active exploitation has been observed for them so far. The first, CVE-2025-64671, affects the GitHub Copilot plugin for JetBrains IDEs and is an unusual case of command injection via AI. An attacker could, through a malicious repository or project, exploit a cross-prompt injection flaw in Copilot to execute local commands on the developer’s workstation. This RCE vulnerability, although only rated Important, was publicly disclosed by researcher Ari Marzuk as part of a study on flaws in AI-assisted IDEs.
The second, CVE-2025-54100, is a vulnerability in Windows PowerShell 5.1. It enables command injection via Invoke-WebRequest: in practical terms, a PowerShell script could, while fetching web content, inadvertently execute code embedded in the remote web page. Microsoft mitigated the issue by modifying PowerShell to display a security warning prompting the user to use -UseBasicParsing to avoid executing remote scripted content. Although rated Important with a CVSS score of ~7.2, this flaw is notable because several external researchers reported it and its exploitation does not require elevated privileges only the execution of a PowerShell command against malicious content. Again, the technical details are public, which increases the risk of future exploitation if systems are not patched.
High-criticality network vulnerabilities – Among the other noteworthy flaws, particular attention should be paid to those affecting Windows network components that may be directly or indirectly exposed to the internet. Vulnerability CVE-2025-62549 (CVSS 8.8) in Windows RRAS is a key example: RRAS (Routing and Remote Access Service) is a Windows service providing routing/VPN functions, typically running on servers.
The flaw is an untrusted pointer dereference that can be exploited via specially crafted network packets, leading to remote code execution on the server without prior authentication. In other words, an unauthenticated attacker could send malicious traffic to an RRAS server (e.g., a VPN server) and execute code with the privileges of the service (often SYSTEM). The attack complexity is low and, although
Microsoft notes that user interaction is required in some scenarios (e.g., tricking a user into establishing a malicious VPN session), in practice the mere processing of the crafted packet by RRAS may be sufficient. Given the externally exposed attack surface, Windows server administrators (especially domain controllers and remote access servers) must prioritize this patch – and consider disabling RRAS on systems where it is not needed, in the meantime, to reduce risk.
Also notable is CVE-2025-62550 in Azure Monitor Agent: this RCE flaw in an Azure agent installed on hybrid machines or Azure Arc nodes is a concern if the agent receives crafted data. The attack requires authentication on the target (PR:L), but then allows code execution on the machine in the context of the agent. Hybrid cloud environments should quickly integrate this patch via Azure Update or SCCM.
Windows privilege escalation vulnerabilities
As usual, numerous elevation of privilege (EoP) vulnerabilities affect core Windows components. This month, in addition to the Cloud Files zero-day mentioned above, there are EoPs in kernel drivers (e.g., Win32k-GRFX, CLFS) and system services (e.g., Remote Access Connection Manager, Client Side Caching, Storage VSP). Most of these EoP flaws have a local vector (the attacker must already have a foothold on the machine) and result from memory corruption issues (heap buffer overflows, invalid dereferences) that lead to code execution in kernel mode. Although individually rated Important, these flaws are highly valuable in post-compromise attack scenarios (for example, after gaining initial access via phishing, the attacker uses an EoP to become local administrator).
Of particular note are two EoP vulnerabilities in Desktop Window Manager (DWM), a central component of the Windows graphical interface – their patching should be thoroughly tested, as DWM is used on all client endpoints (low but non-zero risk of minor graphical issues to monitor). Another notable EoP is CVE-2025-62469 (Brokering File System), which involves a synchronization issue (race condition) that can potentially be exploited to escalate privileges. Even though none of these EoP flaws are currently known to be exploited, it is wise to remediate them quickly to limit lateral movement and persistence in the event of an intrusion.
Server products (Exchange, SharePoint)
The patches for Exchange Server and SharePoint deserve particular attention. Exchange Server has two CVEs this month: CVE-2025-64666 (EoP) and CVE-2025-64667 (Spoofing). The EoP flaw in Exchange could allow, for example, an attacker who has compromised a low-privileged account on the server to escalate to Organization Management privileges in Exchange – effectively compromising all mailboxes. The patch should be applied without delay on all supported Exchange 2016/2019 instances, especially given Exchange’s history as a frequent target of exploits.
The Exchange spoofing flaw, as well as the one in SharePoint (CVE-2025-64672), both enable identity impersonation or falsification of certain elements (emails, SharePoint web requests); exploitation is less impactful (no code execution), but could be used in internal phishing campaigns or to bypass certain authentication controls. Note that for SharePoint, exploiting the flaw may require being authenticated to the SharePoint site and holding specific privileges (depending on the exact spoofing vector). As always with this type of product, testing and deployment of these patches on SharePoint/Exchange farms should be planned promptly, outside of business hours where possible, given the criticality of these applications.
Recommendations and Mitigation Priorities
Priorities for CISOs / Security Leadership
Given the information above, it is essential to prioritize the deployment of patches on exposed and critical systems. First, update all Office/Windows client workstations without delay to address the critical Office/Outlook vulnerabilities, and clearly communicate to employees the importance of rebooting their machines after updates (many of these kernel-level fixes require a restart). Next, focus on frontline Windows servers: apply patches on RRAS/VPN servers, RDS servers, domain controllers, and other remote-access machines to prevent exploitation of flaws such as RRAS (CVE-2025-62549) and the numerous local EoPs used in post-exploitation scenarios. Hybrid cloud environments must also be updated—for instance through Azure Update Management, to push patches to Azure VMs, especially those using Azure Monitor Agent or Azure Linux.
Internal communication should be issued to operational teams to alert them about the corrected zero-days. The CISO must ensure that high-sensitivity systems (VIP workstations, critical servers) have indeed received the December 2025 patches. It is also advisable to review existing security policies: temporarily strengthen monitoring on systems not yet patched (e.g., via EDR) and consider disabling or restricting high-risk services while waiting for updates (e.g., disabling RRAS or SMBv3 compression if a critical network patch is delayed).
Operational Guidance for CSIRT and Vulnerability Teams
Once patches are deployed, set up enhanced monitoring for signs of exploitation. For the Cloud Files zero-day (CVE-2025-62221), review system logs (Event Viewer) to detect driver crashes or unusual behavior related to CloudFilesMiniFilter.sys. Implement SIEM/EDR detections for known exploits; for example, monitor for the PowerShell warning introduced by the patch (triggered when Invoke-WebRequest processes potentially dangerous content); this may indicate a possible attempt to exploit CVE-2025-54100 on an unpatched host.
Likewise, watch for suspicious security events on Exchange and SharePoint servers (login anomalies, configuration changes) that may indicate attempted exploitation prior to patching. Microsoft has not provided workaround mitigations for these flaws, so security teams must verify post-patch that all attack vectors are effectively closed (for example, confirming that known Copilot or PowerShell exploits no longer work in a test environment).
For the critical Office vulnerabilities, continue filtering office documents through security tools (antivirus, sandboxing) and remind users to only open files from trusted source the patch is the permanent fix, but user vigilance remains necessary, especially until the entire environment is updated. Additionally, consider enabling Office-hardening policies (e.g., disabling unsigned macros, enforcing Protected View) to reduce the attack surface of document-based exploits.
Legacy or End-of-Support Products
Windows 10 21H2 is reaching end of life, as are certain Office 2016/2019 editions. Although the December 2025 Patch Tuesday still includes fixes for Windows 10 21H2 and Office 2016, this support is ending. Migration to Windows 11 and supported Office editions (Office 2021 LTSC, Microsoft 365 Apps) should be accelerated to ensure continued security updates in 2026. CISOs should identify systems that cannot be patched (e.g., outdated OS/Office versions no longer supported) and implement compensating controls for them (network isolation, service decommissioning, etc.).
5. Annexes
Annex A: Vulnerabilities Sorted by Decreasing CVSS Score
The table below lists the December 2025 Patch Tuesday vulnerabilities sorted by CVSS v3.1 score (highest to lowest). As expected, critical Office/Outlook RCE vulnerabilities appear among the highest (8.8/8.4). Note that certain CVSS scores are estimated when the exact value was not published at the time of analysis (based on similar impact vectors). DoS and Spoofing vulnerabilities naturally appear at the bottom with lower scores (~4–5).
This CVSS-based classification allows teams to quickly identify the vulnerabilities with the greatest technical impact and prioritize patch deployment accordingly.
| CVE ID | Product/Component | CVSS v3.1 | Type | MS Severity | Comments |
|---|---|---|---|---|---|
| CVE-2025-62562 | Microsoft Outlook (use-after-free RCE) | 8.8 (High) | Remote Code Execution | Critical | RCE via malicious email (zero-click possible) |
| CVE-2025-62549 | Windows RRAS (untrusted pointer RCE) | 8.8 (High) | Remote Code Execution | Important | Unauthenticated network RCE (VPN servers) |
| CVE-2025-62554 | Microsoft Office (type confusion RCE) | 8.4 (High) | Remote Code Execution | Critical | Publicly disclosed zero-day (Office) |
| CVE-2025-62557 | Microsoft Office (use-after-free RCE) | 8.4 (High) | Remote Code Execution | Critical | Publicly disclosed zero-day (Office) |
| CVE-2025-62550 | Azure Monitor Agent (out-of-bounds RCE) | ~8.0 (High) | Remote Code Execution | Important | Requires authentication (post-compromise attack) |
| CVE-2025-62456 | Windows ReFS (heap overflow RCE) | ~8.0 (High) | Remote Code Execution | Important | Authenticated attacker required |
| … | … | … | … | … | … |
| CVE-2025-62221 | Windows Cloud Files (use-after-free EoP) | 7.8 (High) | Elevation of Privilege | Important | Actively exploited zero-day (SYSTEM privilege) |
| CVE-2025-64666 | Exchange Server (Elevation of Privilege) | ~7.8 (High) | Elevation of Privilege | Important | Requires authenticated mailbox user |
| CVE-2025-64673 | Windows StorVSP (Elevation of Privilege) | ~7.8 (High) | Elevation of Privilege | Important | Local, post-compromise escalation |
| CVE-2025-62560 | Microsoft Excel (memory corruption RCE) | ~7.8 (High) | Remote Code Execution | Important | Malicious Excel file (macro-based attack) |
| … | … | … | … | … | … |
| CVE-2025-64671 | GitHub Copilot JetBrains (RCE injection) | ~7.4 (High) | Remote Code Execution | Important | Publicly disclosed zero-day (PoC available) |
| CVE-2025-54100 | Windows PowerShell (command injection RCE) | ~7.2 (High) | Remote Code Execution | Important | Publicly disclosed zero-day (command injection) |
| CVE-2025-62473 | Windows RRAS (information disclosure) | ~5.0 (Medium) | Information Disclosure | Important | Non-critical network information leak |
| CVE-2025-62570 | Windows Camera Frame Server (information disclosure) | ~5.0 (Medium) | Information Disclosure | Important | Limited local information leak |
| CVE-2025-64672 | SharePoint Server (Spoofing) | ~4.3 (Medium) | Spoofing | Important | Identity impersonation (internal phishing) |
| CVE-2025-64667 | Exchange Server (Spoofing) | ~4.0 (Medium) | Spoofing | Important | Email element impersonation |
Scores CVSS marked with “~” are estimated based on impact vectors, in the absence of an officially published value. Vulnerability types are shown in English as they correspond to standard CVE taxonomy.
Annex B – Useful Links (Official Microsoft Bulletins)
For more details on each update, consult the Microsoft Security Update Guide – December 2025 Release (official Patch Tuesday bulletin). The CVEs listed above are documented individually with their associated Microsoft KB references. Below are direct links to the relevant Microsoft resources:
📎 Microsoft Security Update Guide – December 2025 Releases
📎 Office Security Update Bulletin (December 2025) – details for Office 2016, 2019, LTSC 2021/2024 patches
📎 Exchange Server Security Update Description – December 2025 (KB5029970)
📎 MSRC Blog on December 2025 Zero-Days – Microsoft’s summary article (if published) covering active exploits and specific recommendations
The December 2025 Patch Tuesday closes the year with a substantial set of security fixes across the entire Microsoft ecosystem. Security teams must focus on the rapid deployment of critical updates (especially Office and Windows) and remain vigilant regarding the potential exploitation of publicly disclosed vulnerabilities.
Summary
This article, intended for CSIRT analysts and CISOs, provides a high-level overview to support communication and remediation efforts during this end-of-year period.
Enjoy !
