Microsoft has rolled out its December 2025 Patch Tuesday updates, addressing critical security risks across its software ecosystem. The update resolves 57 vulnerabilities which includes 1 zero-day vulnerability that is being actively exploited and 2 publicly disclosed vulnerabilities. The patches aim to strengthen defences against potential cyberattacks. Users are advised to update immediately.
n Patch Tuesday, 09 December 2025 Microsoft has released fixes for 57 flaws including 1 zero-days and 2 publicly disclosed vulnerabilities
The major categories for these vulnerabilities are as follows:
- Elevation of Privilege – 28
- Remote Code Execution (RCE) – 19
- Denial of Service – 3
- Information Disclosure – 4
- Spoofing – 3
Of the vulnerabilities addressed this month, 49% were related to Elevation of Privilege, while 33% were related to Remote Code Execution predominantly.
One of the vulnerabilities, identified as CVE-2025-62221 and carrying a CVSS score of 7.8, is currently being actively exploited in real-world attacks. This flaw involves the Windows Cloud Files Mini Filter Driver.
Following are the 2 publicly known vulnerabilities:
- CVE-2025-64671
- CVE-2025-54100
CVE-2025-64671 is associated with Co-pilot while CVE-2025-54100 Windows PowerShell.
In addition to the CVEs mentioned above, Microsoft has also published 13 non-Microsoft CVEs from Chrome, which are relevant to the Chromium-based Microsoft Edge browser.
Apart from Microsoft few other vendors have also provided fixes including the following:
Adobe: Adobe released updates for applications including Adobe Acrobat Reader and Adobe ColdFusion.
Cisco: Cisco released updates for its products including Cisco Identity Service.
SAP: SAP released updates for multiple products including SAP Solution Manager and SAP Commerce Cloud.
Fortinet: Fortinet released updates for multiple products including FortiOS, FortiProxy and FortiPAM.
Ivanti: Ivanti released updates for its products Ivanti Endpoint Manager.
Here are 3 essential pieces of advice for companies to make the most of the final Patch Tuesday of 2025 and strengthen their security posture heading into the new year:
- Prioritize Actively Exploited and High-Risk Vulnerabilities: Focus immediate patching efforts on vulnerabilities confirmed to be actively exploited in the wild or rated high/critical.
- Strengthen Monitoring for Systems That Can’t Be Patched Immediately: For devices or applications that can’t be patched right away, ensure enhanced logging, detection rules, and compensating controls are applied. Temporary mitigations can help bridge the gap until patching is possible.
- Perform a Year-End Vulnerability and Asset Review: Use this final patch cycle as an opportunity to:
- Reassess your asset inventory
- Confirm no critical systems were overlooked
- Review patch compliance levels across teams
- Plan improvements for your 2026 vulnerability management strategy
- A thorough year-end review ensures you enter the new year with a cleaner, more secure baseline.
Conclusion:
The last Patch Tuesday of 2025 shows how important it is for companies to stay on top of security as the year wraps up. This month brings fixes for issues that are already being attacked, updates across different platforms, and patches for both Microsoft products and Chromium-based browsers like Edge. It’s a reminder that keeping systems updated and watching for risks is essential. By focusing on the most serious flaws, testing updates before rolling them out, and keeping a close eye on systems, organizations can finish the year securely and start 2026 in a stronger position.
