Microsoft released its final Patch Tuesday updates of 2025 on December 9, addressing 56 security vulnerabilities across Windows, Office, Exchange Server, and other components.
This patch includes three zero-day flaws: two publicly disclosed remote code execution issues and one actively exploited elevation of privilege vulnerability.
The updates tackle two critical remote code execution vulnerabilities in Microsoft Office, both rated critical due to their potential for arbitrary code execution via malicious documents.
Dozens of important-rated issues dominate, primarily elevation of privilege flaws in Windows kernel drivers like Cloud Files Mini Filter Driver and Win32k, alongside remote code execution bugs in RRAS and ReFS. Exploitation likelihood varies, with several marked as “More Likely” or “Detected,” urging immediate patching amid holiday slowdowns.
| Vulnerability Type | Count |
|---|---|
| Remote Code Execution | 19 |
| Denial of Service | 3 |
| Elevation of Privilege | 28 |
| Information Disclosure | 4 |
| Spoofing | 2 |
| Total | 56 |
No moderate or low-severity flaws appear highlighted, but the focus remains on preventing local privilege escalation and remote attacks. Affected products span Windows 10/11/Server, Office apps (Excel, Word, Outlook, Access), Hyper-V, Azure Monitor Agent, PowerShell, and third-party tools like GitHub Copilot for JetBrains.
Three zero-days stand out. CVE-2025-64671 in GitHub Copilot for JetBrains enables command injection for local RCE; it is publicly known, but exploitation is less likely. CVE-2025-54100 similarly affects PowerShell via command injection.
CVE-2025-62221, a use-after-free in Windows Cloud Files Mini Filter Driver, shows detected exploitation, marking it actively used in attacks.
| CVE ID | Component | Type | Severity | Exploitation Status | Description Summary |
|---|---|---|---|---|---|
| CVE-2025-62221 | Windows Cloud Files Mini Filter Driver | Elevation of Privilege | Important | Detected | Use-after-free allows local privilege escalation. Yes (exploited in the wild) |
| CVE-2025-64671 | GitHub Copilot for JetBrains | Remote Code Execution | Important | Less Likely | Use after free allows local privilege escalation. Yes (exploited in the wild) |
| CVE-2025-54100 | PowerShell | Remote Code Execution | Important | Less Likely | Command injection enables local code execution. Publicly known. |
Organizations should prioritize testing and deploying these updates via Windows Update or the Microsoft Update Catalog, especially for zero-days and “More Likely” exploits. Extended Security Updates remain critical for Windows 10 users post-EOL.
Vulnerabilities Table
| CVE | Title | Severity | Impact | Description |
|---|---|---|---|---|
| CVE-2025-62554 | Microsoft Office Remote Code Execution Vulnerability | Critical | Remote Code Execution | Access of resource using incompatible type (‘type confusion’) in Microsoft Office allows an unauthorized attacker to execute code locally. |
| CVE-2025-62557 | Microsoft Office Remote Code Execution Vulnerability | Critical | Remote Code Execution | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. |
| CVE-2025-62454 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Heap-based buffer overflow in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62456 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important | Remote Code Execution | Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an authorized attacker to execute code over a network. |
| CVE-2025-62457 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Out-of-bounds read in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62458 | Win32k Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Heap-based buffer overflow in Windows Win32K – GRFX allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62466 | Windows Client-Side Caching Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Null pointer dereference in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62469 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62470 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62472 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Use of uninitialized resource in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62473 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | Important | Information Disclosure | Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
| CVE-2025-62549 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | Remote Code Execution | Untrusted pointer dereference in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
| CVE-2025-62561 | Microsoft Excel Remote Code Execution Vulnerability | Important | Remote Code Execution | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
| CVE-2025-62562 | Microsoft Outlook Remote Code Execution Vulnerability | Important | Remote Code Execution | Use after free in Microsoft Office Outlook allows an unauthorized attacker to execute code locally. |
| CVE-2025-62563 | Microsoft Excel Remote Code Execution Vulnerability | Important | Remote Code Execution | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
| CVE-2025-62564 | Microsoft Excel Remote Code Execution Vulnerability | Important | Remote Code Execution | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
| CVE-2025-62571 | Windows Installer Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Improper input validation in Windows Installer allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62572 | Application Information Service Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Out-of-bounds read in Application Information Services allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62573 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally. |
| CVE-2025-64658 | Windows File Explorer Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Shell allows an authorized attacker to elevate privileges locally. |
| CVE-2025-64667 | Microsoft Exchange Server Spoofing Vulnerability | Important | Spoofing | User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. |
| CVE-2025-64666 | Microsoft Exchange Server Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network. |
| CVE-2025-64670 | Windows DirectX Information Disclosure Vulnerability | Important | Information Disclosure | Exposure of sensitive information to an unauthorized actor in Microsoft Graphics Component allows an authorized attacker to disclose information over a network. |
| CVE-2025-64673 | Windows Storage VSP Driver Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Improper access control in Storvsp.sys Driver allows an authorized attacker to elevate privileges locally. |
| CVE-2025-59516 | Windows Storage VSP Driver Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Missing authentication for critical function in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally. |
| CVE-2025-59517 | Windows Storage VSP Driver Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Improper access control in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62455 | Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Improper input validation in Windows Message Queuing allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62461 | Windows Projected File System Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62463 | DirectX Graphics Kernel Denial of Service Vulnerability | Important | Denial of Service | Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally. |
| CVE-2025-62462 | Windows Projected File System Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62464 | Windows Projected File System Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62465 | DirectX Graphics Kernel Denial of Service Vulnerability | Important | Denial of Service | Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally. |
| CVE-2025-55233 | Windows Projected File System Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Out-of-bounds read in Windows Projected File System allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62467 | Windows Projected File System Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Integer overflow or wraparound in Windows Projected File System allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62468 | Windows Defender Firewall Service Information Disclosure Vulnerability | Important | Information Disclosure | Out-of-bounds read in Windows Defender Firewall Service allows an authorized attacker to disclose information locally. |
| CVE-2025-62474 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62550 | Azure Monitor Agent Remote Code Execution Vulnerability | Important | Remote Code Execution | Out-of-bounds write in Azure Monitor Agent allows an authorized attacker to execute code over a network. |
| CVE-2025-62552 | Microsoft Access Remote Code Execution Vulnerability | Important | Remote Code Execution | Relative path traversal in Microsoft Office Access allows an unauthorized attacker to execute code locally. |
| CVE-2025-62553 | Microsoft Excel Remote Code Execution Vulnerability | Important | Remote Code Execution | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
| CVE-2025-62555 | Microsoft Word Remote Code Execution Vulnerability | Important | Remote Code Execution | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
| CVE-2025-62556 | Microsoft Excel Remote Code Execution Vulnerability | Important | Remote Code Execution | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
| CVE-2025-62558 | Microsoft Word Remote Code Execution Vulnerability | Important | Remote Code Execution | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
| CVE-2025-62559 | Microsoft Word Remote Code Execution Vulnerability | Important | Remote Code Execution | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
| CVE-2025-62560 | Microsoft Excel Remote Code Execution Vulnerability | Important | Remote Code Execution | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
| CVE-2025-62567 | Windows Hyper-V Denial of Service Vulnerability | Important | Denial of Service | Integer underflow (wrap or wraparound) in Windows Hyper-V allows an authorized attacker to deny service over a network. |
| CVE-2025-62569 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. |
| CVE-2025-62570 | Windows Camera Frame Server Monitor Information Disclosure Vulnerability | Important | Information Disclosure | Improper access control in Windows Camera Frame Server Monitor allows an authorized attacker to disclose information locally. |
| CVE-2025-62565 | Windows File Explorer Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Use after free in Windows Shell allows an authorized attacker to elevate privileges locally. |
| CVE-2025-64661 | Windows Shell Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Shell allows an authorized attacker to elevate privileges locally. |
| CVE-2025-64671 | GitHub Copilot for Jetbrains Remote Code Execution Vulnerability | Important | Remote Code Execution | Improper neutralization of special elements used in a command (‘command injection’) in Copilot allows an unauthorized attacker to execute code locally. |
| CVE-2025-64672 | Microsoft SharePoint Server Spoofing Vulnerability | Important | Spoofing | Improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. |
| CVE-2025-64678 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | Remote Code Execution | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
| CVE-2025-64679 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Heap-based buffer overflow in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. |
| CVE-2025-64680 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Heap-based buffer overflow in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. |
| CVE-2025-54100 | PowerShell Remote Code Execution Vulnerability | Important | Remote Code Execution | Improper neutralization of special elements used in a command (‘command injection’) in Windows PowerShell allows an unauthorized attacker to execute code locally. |
| CVE-2025-62221 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important | Elevation of Privilege | Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. |
Monitor CISA’s Known Exploited Vulnerabilities catalog for additions, and segment networks to limit lateral movement from EoP flaws. With year-end holidays approaching, automate patching to mitigate risks from the 1,100+ CVEs patched in 2025.
Powered by
