Close Menu
Login
HN Monitor
Vulnerability

Microsoft Releases Security Updates for 56 Vulnerabilities

News RoomBy 5 Mins Read

Microsoft concluded 2025 by releasing patches for 56 security flaws across its Windows platform, a significant update that includes a critical vulnerability actively being exploited in the wild. This end-of-year Patch Tuesday addresses issues ranging from privilege escalation to remote code execution, underscoring the ongoing cybersecurity challenges faced by users.

The December 2025 Patch Tuesday update deploys fixes for 56 vulnerabilities, with three classified as Critical and 53 as Important. Two of these defects were publicly known at the time of release. The patched flaws include 29 instances of privilege escalation, 18 of remote code execution, four of information disclosure, three of denial-of-service, and two of spoofing.

Microsoft’s 2025 Security Patch Summary

This latest release brings Microsoft’s total CVEs addressed in 2025 to 1,275, according to data compiled by Fortra. This marks the second consecutive year the technology giant has surpassed 1,000 patched CVEs, a milestone achieved for the third time since the inception of Patch Tuesday. In addition to the Windows fixes, Microsoft also addressed 17 vulnerabilities in its Chromium-based Edge browser since the November 2025 update, including a spoofing flaw affecting Edge for iOS (CVE-2025-62221).

The most pressing issue is CVE-2025-62221, a critical use-after-free vulnerability within the Windows Cloud Files Mini Filter Driver. This flaw boasts a CVSS score of 7.8 and has been actively exploited. Successful exploitation by an authenticated attacker could lead to local privilege escalation, granting them SYSTEM-level permissions.

“File system filter drivers, aka minifilters, attach to the system software stack, and intercept requests targeted at a file system, and extend or replace the functionality provided by the original target,” explained Adam Barnett, lead software engineer at Rapid7. “Typical use cases include data encryption, automated backup, on-the-fly compression, and cloud storage.”

The Cloud Files minifilter is integral to services like OneDrive, Google Drive, and iCloud. However, as a core Windows component, its presence and associated vulnerabilities would exist on systems even without these cloud storage applications installed.

Details regarding the specific methods or context of the current exploitation of CVE-2025-62221 remain undisclosed. However, it is understood that attackers need prior access to a vulnerable system through other means to exploit this particular flaw. The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) are credited with the discovery and reporting of this vulnerability.

Mike Walters, president and co-founder of Action1, elaborated on potential attack chains. He suggested that threat actors could gain initial low-privileged access through phishing, web browser exploits, or other known remote code execution vulnerabilities. This initial foothold could then be leveraged in conjunction with CVE-2025-62221 to achieve full control of the host system.

Once privileged access is gained, attackers could deploy kernel components or exploit signed drivers to bypass security defenses and ensure persistence. This vulnerability could also be weaponized for broad domain-level compromises, particularly when combined with credential theft techniques.

The exploitation of CVE-2025-62221 has led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog. This addition mandates that Federal Civilian Executive Branch (FCEB) agencies implement the patch by December 30, 2025.

Other Notable Vulnerabilities Addressed

Microsoft’s update also includes fixes for two other publicly known vulnerabilities:

  • CVE-2025-54100 (CVSS score: 7.8): A command injection vulnerability in Windows PowerShell that allows an unauthorized attacker to execute code locally.
  • CVE-2025-64671 (CVSS score: 8.4): A command injection vulnerability in GitHub Copilot for JetBrains, enabling unauthorized local code execution.

Regarding CVE-2025-54100, Alex Vovk of Action1 stated, “This is a command injection flaw in how Windows PowerShell processes web content. It lets an unauthenticated attacker execute arbitrary code in the security context of a user who runs a crafted PowerShell command, such as Invoke-WebRequest.” This threat is amplified when combined with social engineering tactics, where users or administrators might be tricked into running malicious PowerShell snippets that trigger the parsing flaw.

CVE-2025-64671 emerged in the context of a broader disclosure of vulnerabilities dubbed “IDEsaster,” affecting integrated development environments with agentic capabilities. These attacks exploit prompt injections against embedded AI agents, potentially leading to information disclosure or command execution by combining them with the base IDE layer.

While not strictly part of the novel IDEsaster attack chain, this vulnerability involves a vulnerable “execute command” tool that allows bypassing user-configured allow lists, according to researcher Ari Marzouk, who reported the flaw. Marzouk noted that multiple IDEs were affected, including Kiro.dev, Cursor (CVE-2025-54131), JetBrains Junie (CVE-2025-59458), Gemini CLI, Windsurf, and Roo Code (CVE-2025-54377, CVE-2025-57771, CVE-2025-65946), as well as GitHub Copilot for VS Code.

Kev Breen, senior director of cyber threat research at Immersive, explained that attackers could achieve code execution by tricking the AI into running commands that bypass guardrails and appending instructions to “auto-approve” settings. This can be accomplished through “Cross Prompt Injection,” where AI agents modify prompts based on retrieved data, leading to unintended command execution.

Broader Vendor Security Updates

Microsoft’s significant patch release is part of a larger trend of vendors addressing numerous security vulnerabilities. In recent weeks, updates have also been issued by a wide array of other technology providers, including:

  • Adobe
  • Amazon Web Services
  • AMD
  • Arm
  • ASUS
  • Atlassian
  • Bosch
  • Broadcom (including VMware)
  • Canon
  • Cisco
  • Citrix
  • CODESYS
  • Dell
  • Devolutions
  • Drupal
  • F5
  • Fortinet
  • Fortra
  • GitLab
  • Google Android and Pixel
  • Google Chrome
  • Google Cloud
  • Google Pixel Watch
  • Hitachi Energy
  • HP
  • HP Enterprise (including Aruba Networking and Juniper Networks)
  • IBM
  • Imagination Technologies
  • Intel
  • Ivanti
  • Lenovo
  • Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu
  • MediaTek
  • Mitsubishi Electric
  • MongoDB
  • Moxa
  • Mozilla Firefox and Firefox ESR
  • NVIDIA
  • OPPO
  • Progress Software
  • Qualcomm
  • React
  • Rockwell Automation
  • Samsung
  • SAP
  • Schneider Electric
  • Siemens
  • SolarWinds
  • Splunk
  • Synology
  • TP-Link
  • WatchGuard
  • Zoom, and
  • Zyxel

The continuous stream of security updates from Microsoft and other vendors highlights the persistent and evolving threat landscape. Users and organizations are urged to apply these patches promptly to mitigate risks associated with known exploits and newly disclosed vulnerabilities. Future Patch Tuesdays will likely continue this pattern of addressing critical security flaws across widely used software and hardware.

Share.

The Hacker News editorial team covers the latest in cybersecurity, data breaches, privacy risks, and digital defense. Our newsroom delivers verified updates and in-depth analysis to keep professionals and readers informed on global cyber threats.

Keep Reading

© 2026 Hacker News. All Rights Reserved.