Microsoft has concluded its 2025 security updates with a critical Patch Tuesday release, addressing a total of 56 vulnerabilities across its various products.
The most alarming aspect of this release is the inclusion of three zero-day flaws, with one confirmed to be actively exploited in the wild.
Microsoft rated three of the 56 flaws as critical and the remaining 53 as Important. The issues cover a broad spectrum of risks, including 29 privilege escalation bugs and 18 remote code execution (RCE) flaws.
The most pressing vulnerability is CVE-2025-62221 (CVSS score 7.8), a use-after-free defect in the Windows Cloud Files Mini Filter Driver.
This flaw allows a local attacker to elevate their privileges to the highest level, SYSTEM, effectively granting them full control of the host machine.
Given the active exploitation of this bug, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to the Known Exploited Vulnerabilities (KEV) catalog, mandating all Federal Civilian Executive Branch (FCEB) agencies to apply the patch before December 30, 2025.
Read also: Microsoft declares 2026 the ‘Year of the Agent’ as Ignite 2025 unveils AI agent platform
Microsoft also fixed two other publicly known zero-day vulnerabilities which are CVE-2025-54100 (CVSS score 7.8): A command injection vulnerability in Windows PowerShell.
This flaw can allow an unauthorised attacker to execute arbitrary code if they can trick a user into running a crafted PowerShell command, such as Invoke-WebRequest.
CVE-2025-64671 (CVSS score 8.4): A command injection vulnerability found in GitHub Copilot for JetBrains.
This issue stems from the increasing integration of agentic AI capabilities into development environments, a subject recently highlighted by security researchers under the name “IDEsaster.â€
The vulnerability allows attackers to bypass security guardrails and potentially achieve code execution by manipulating the underlying AI model.
This final update brings Microsoft’s total number of patched vulnerabilities for 2025 to 1,275, marking the second year in a row the company has addressed over 1,000 distinct CVEs.
Security professionals are strongly advised to prioritise the deployment of these patches to defend against these critical, actively exploited threats.
