Microsoft’s Latest Patch Tuesday Update Fixes These Three Zero-Day Vulnerabilities.

Posted on by

Microsoft’s December Patch Tuesday update has been released, and Windows users should update their computers as soon as possible to patch three zero-day vulnerabilities. These are security vulnerabilities that are actively exploited or publicly disclosed before the developer releases an official update.

As Bleeping Computer reports , this month’s update addresses a total of 56 bugs: 28 privilege escalation vulnerabilities, 19 remote code execution vulnerabilities, four information disclosure vulnerabilities, three denial of service vulnerabilities, and two address spoofing vulnerabilities. Three of the remote code execution vulnerabilities are rated “critical.” It should be noted that these figures do not include updates released for Microsoft Edge and Mariner.

Security updates are typically released on the second Tuesday of each month around 10:00 AM PT, so you can expect them to arrive around that time.

You may also like

Three days of day zero are fixed

One of the zero-day vulnerabilities patched in December is being actively exploited by attackers, although Microsoft hasn’t provided any details on how. CVE-2025-62221 is a privilege escalation vulnerability in the Windows Cloud File Minifilter driver, which, when exploited, allows attackers to gain system privileges. The minifilter allows cloud applications like OneDrive to access file system functions.

What do you think at the moment?

Information about the remaining two fixed bugs has been released:

  • CVE-2025-64671 — Remote Code Execution Vulnerability in GitHub Copilot for Jetbrains: This vulnerability, which can be exploited through Cross Prompt Injection (CPI) in untrusted MCP files or servers, allows attackers to execute commands locally. According to Krebs on Security , this can trick LLM into adding malicious instructions to a user’s auto-confirmation settings.

  • CVE-2025-54100 – PowerShell Remote Code Execution Vulnerability: This vulnerability could result in the execution of scripts embedded in a web page when received using the Invoke-WebRequest command.

Vulnerability CVE-2025-62221 was discovered by the Microsoft Threat Analysis Center (MSTIC) and the Microsoft Security Response Center (MSRC). Vulnerability CVE-2025-64671 was disclosed by Ari Marzouk, and vulnerability CVE-2025-54100 was discovered by several security researchers.

More…

Software

Leave a Reply