Sign in Subscribe

Microsoft Patches Three Zero-Days in December Update, One Under Active Attack

Microsoft Patches Three Zero-Days in December Update, One Under Active Attack

Microsoft's final Patch Tuesday of 2025 addressed 57 vulnerabilities, including three zero-day flaws—one of which attackers are actively exploiting to gain SYSTEM-level privileges on Windows machines.

The December update brings Microsoft's annual total to approximately 1,200 patched vulnerabilities, marking the second consecutive year the company has addressed over 1,000 security issues in its products.

Active Exploitation: CVE-2025-62221

The most critical vulnerability fixed this month, CVE-2025-62221, scores 7.8 on the CVSS scale and affects the Windows Cloud Files Mini Filter Driver. This use-after-free flaw allows authenticated attackers to escalate privileges locally to SYSTEM level—the highest permission tier in Windows.

Microsoft's Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) discovered the vulnerability and confirmed it's being exploited in real-world attacks. The company hasn't disclosed attack details, victim profiles, or attribution information. This silence typically indicates either ongoing investigations or concerns that additional technical details might enable broader exploitation.

Use-after-free vulnerabilities occur when software attempts to access memory after it's been freed, creating opportunities for attackers to manipulate memory contents and execute arbitrary code. In privilege escalation contexts, this means attackers who already have some system access can elevate to administrator-level control.

The authentication requirement means attackers need initial access to target systems before exploiting CVE-2025-62221. However, this shouldn't provide much comfort. Attackers commonly chain vulnerabilities—using one flaw to gain initial access, then escalating privileges through a second vulnerability like this one.

Second Cloud Files Driver Flaw: CVE-2025-62454

Microsoft patched another vulnerability in the same Windows Cloud Files Mini Filter Driver: CVE-2025-62454, also scoring 7.8 on the CVSS scale. This flaw similarly enables privilege escalation.

While not yet exploited in the wild, Microsoft warns the vulnerability could be used in attacks soon. The company's assessment suggests threat intelligence indicating attacker interest or reconnaissance activity targeting this component.

Two privilege escalation vulnerabilities in the same driver within one month raises questions about code quality and testing procedures for this component. Organizations should prioritize patching both issues given the driver's apparent vulnerability history and Microsoft's warning about imminent exploitation risk.

Understanding Microsoft's Zero-Day Classification

Microsoft defines zero-days broadly, including both vulnerabilities under active exploitation and those publicly disclosed before patches became available. This classification differs from the narrower definition some security professionals use—reserving "zero-day" exclusively for exploited-before-patched vulnerabilities.

The December update includes two additional zero-days that were publicly disclosed but not yet exploited.

GitHub Copilot Vulnerability: CVE-2025-64671

Security researcher Ari Marzuk identified a command injection vulnerability in GitHub Copilot for JetBrains IDEs. The flaw allows attackers to execute code locally through prompt injection in untrusted files or Model Context Protocol (MCP) servers.

Marzuk disclosed this vulnerability as part of his "IDEsaster: A Novel Vulnerability Class in AI IDEs" research. The findings highlight security risks emerging as AI assistants integrate more deeply into development environments.

Exploitation requires users to open malicious files or connect to compromised MCP servers while using Copilot. The attack surface expands as AI coding assistants gain adoption—developers increasingly trust these tools with code execution permissions, creating opportunities for social engineering attacks disguised as legitimate development resources.

PowerShell Command Injection: CVE-2025-54100

The third zero-day affects PowerShell's Invoke-WebRequest cmdlet. This command injection vulnerability could allow script execution when users retrieve web pages containing embedded malicious code.

Microsoft's description states: "Incorrect neutralization of special elements used in commands (command injection) in Windows PowerShell allows an unauthorized attacker to locally execute code."

The company implemented warnings that now display when using Invoke-WebRequest, recommending the -UseBasicParsing flag to prevent automatic code execution. This mitigation approach shifts some responsibility to users—they must recognize the warning and apply the recommended flag.

PowerShell's power makes it attractive for both legitimate administration and malicious activity. Vulnerabilities in core PowerShell components like Invoke-WebRequest create risks for system administrators who rely on these tools for routine tasks.

Critical Office Vulnerabilities

Beyond the three zero-days, December patches address 13 Office vulnerabilities, including two critical remote code execution flaws: CVE-2025-62554 and CVE-2025-62557, both scoring 8.4 on the CVSS scale.

These vulnerabilities—a type confusion bug and a use-after-free issue—enable remote arbitrary code execution through Office's Preview Pane. Attackers could exploit them through social engineering, tricking victims into clicking malicious links.

Microsoft warns about the worst-case scenario: "An attacker could send a specially crafted email to a victim. It would not need to be opened, read, or have links clicked. However, this could lead to remote code execution on the victim's machine."

Preview Pane exploitation is particularly dangerous because it removes the need for explicit user actions like opening attachments. Simply viewing an email in the preview window triggers the vulnerability. Organizations using Office should prioritize these patches and consider temporarily disabling Preview Pane if immediate patching isn't possible.

In My Opinion

The single actively exploited zero-day warrants immediate attention, but the broader pattern of 1,200+ annual vulnerabilities in Microsoft products deserves examination. This represents the second consecutive year Microsoft has patched over 1,000 issues—suggesting either improved vulnerability discovery processes or persistent code quality challenges.

Per the research findings, the privilege escalation vulnerabilities in the Windows Cloud Files Mini Filter Driver indicate problems in a component that handles cloud storage integration. As Microsoft pushes cloud-first strategies across its product line, ensuring security in cloud integration components becomes critical.

The active exploitation of CVE-2025-62221 demonstrates attackers' focus on privilege escalation vectors. Initial access vulnerabilities get significant attention, but privilege escalation flaws enable attackers to move from compromised user accounts to full system control. Organizations should recognize that preventing initial compromise isn't sufficient—limiting what attackers can do after gaining initial access matters equally.

The GitHub Copilot vulnerability represents emerging attack surfaces as AI tools integrate into development workflows. Developers traditionally work in trusted environments where code execution is expected and necessary. AI assistants that can execute code or suggest commands create new social engineering opportunities. Attackers can craft prompts or contexts that cause AI assistants to recommend or execute malicious operations.

PowerShell's command injection vulnerability (CVE-2025-54100) exposes risks in automation tools that system administrators depend on daily. The mitigation approach—displaying warnings and recommending flags—places burden on users to recognize threats. This works when administrators actively monitor for security issues, but automated scripts using Invoke-WebRequest might continue operating without the recommended protections unless explicitly updated.

The Office Preview Pane vulnerabilities continue a long history of similar issues. Microsoft has patched numerous Preview Pane bugs over the years, yet new ones continue appearing. This suggests either that the Preview Pane architecture creates inherent security challenges, or that testing processes don't adequately cover this attack surface.

Organizations face practical deployment challenges with monthly patch cycles. December's 57 vulnerabilities require testing, staging, and deployment—all while IT teams manage year-end operations and holiday staffing. The actively exploited zero-day demands immediate attention, but organizations must also prioritize the critical Office vulnerabilities and the second Cloud Files driver flaw that Microsoft warns could be exploited soon.

The volume of patches—1,200 annually—strains patch management processes. Organizations can't thoroughly test every patch before deployment, yet deploying untested patches risks breaking production systems. This forces risk-based prioritization: patch actively exploited vulnerabilities immediately, critical vulnerabilities quickly, and lower-severity issues on standard schedules.

Microsoft's second consecutive year of 1,000+ patched vulnerabilities raises questions about whether this represents a new normal. Increased vulnerability discovery through bug bounties, security research, and internal testing might explain rising numbers without indicating worse security. Alternatively, expanding attack surfaces as Microsoft adds features and integrates cloud services might be creating genuinely more vulnerabilities.

Either way, organizations depending on Microsoft products must maintain robust patch management capabilities. The December update demonstrates this clearly: one actively exploited zero-day, two critical Office RCE vulnerabilities, and another privilege escalation flaw that Microsoft warns about—all requiring prompt deployment despite year-end operational pressures.