Microsoft patched 57 vulnerabilities in its Patch Tuesday December 2025 update, including one exploited zero-day and six high-risk vulnerabilities. The exploited zero-day is CVE-2025-62221, a 7.8-rated Use After Free vulnerability in Windows Cloud Files Mini Filter Driver that could allow an authorized attacker to elevate privileges locally and gain SYSTEM privileges. CISA promptly added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Microsoft credited its own Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) for the find. Microsoft’s Patch Tuesday December 2025 update also issued fixes for 13 non-Microsoft CVEs; all the non-Microsoft CVEs were for Chromium-based Edge vulnerabilities. Other vendors issuing critical Patch Tuesday updates included Fortinet (CVE-2025-59718 and CVE-2025-59719), Ivanti (CVE-2025-10573) and SAP (CVE-2025-42880, CVE-2025-42928, and Apache Tomcat-related vulnerabilities CVE-2025-55754 and CVE-2025-55752).

High-Risk Vulnerabilities Fixed in Patch Tuesday December 2025 Update

Microsoft rated six vulnerabilities as “Exploitation More Likely.” The six are all rated 7.8 under CVSS 3.1, and three are Heap-based Buffer Overflow vulnerabilities. The six high-risk vulnerabilities include: CVE-2025-59516, a 7.8-severity Windows Storage VSP Driver Elevation of Privilege vulnerability. The Missing Authentication for Critical Function flaw in Windows Storage VSP Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-59517, also a 7.8-rated Windows Storage VSP Driver Elevation of Privilege vulnerability. Improper access control in Windows Storage VSP Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-62454, a 7.8-rated Windows Cloud Files Mini Filter Driver Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in Windows Cloud Files Mini Filter Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-62458, a 7.8-severity Win32k Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in Windows Win32K - GRFX could allow an authorized attacker to elevate privileges locally. CVE-2025-62470, a 7.8-rated Windows Common Log File System Driver Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in the Windows CLFS Driver could allow local privilege elevation by an authorized attacker. CVE-2025-62472, a 7.8-severity Windows Remote Access Connection Manager Elevation of Privilege vulnerability. The use of uninitialized resource flaw in Windows Remote Access Connection Manager could allow an authorized attacker to elevate privileges locally.

High-Severity Office, Copilot, SharePoint Vulnerabilities also Fixed

The highest-rated vulnerabilities in the December 2025 Patch Tuesday update were rated 8.8, and there were three 8.4-severity vulnerabilities too. All were rated as being at lower risk of exploitation by Microsoft. The four 8.8-rated vulnerabilities include:

• CVE-2025-62549, a Windows Routing and Remote Access Service (RRAS) Remote Code Execution vulnerability
• CVE-2025-62550, an Azure Monitor Agent Remote Code Execution vulnerability
• CVE-2025-62456, a Windows Resilient File System (ReFS) Remote Code Execution vulnerability
• CVE-2025-64672, a Microsoft SharePoint Server Spoofing vulnerability

The three 8.4-severity vulnerabilities include:

• CVE-2025-64671, a GitHub Copilot for Jetbrains Remote Code Execution vulnerability
• CVE-2025-62557, a Microsoft Office Remote Code Execution/Use After Free vulnerability
• CVE-2025-62554, a Microsoft Office Remote Code Execution/Type Confusion vulnerability

Microsoft’s November Patch Tuesday release for 2025 has delivered fixes for 63 security flaws across its software portfolio, including one zero-day vulnerability already being exploited in the wild. The company’s monthly update also contains four “Critical” vulnerabilities, two involving remote code execution (RCE), one linked to privilege escalation, and another tied to information disclosure.  This month’s update addresses vulnerabilities across a wide range of Microsoft products and services. Although the number of vulnerabilities is lower compared to recent months, the presence of an active zero-day makes November’s cycle critical for administrators. Microsoft noted that some of the “Important” rated flaws could still be leveraged in complex attack chains, particularly those affecting widely deployed components like Office, Windows Kernel, and Azure services. 

Actively Exploited Zero-Day: CVE-2025-62215 

The most urgent issue this month is CVE-2025-62215, an Elevation of Privilege vulnerability in the Windows Kernel. According to Microsoft, the flaw arises from a race condition that allows an authenticated attacker to gain SYSTEM-level privileges on affected systems.  In Microsoft’s technical explanation, “concurrent execution using a shared resource with improper synchronization” could let an attacker win a race condition and escalate privileges locally. This vulnerability was discovered by the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC). While the company has confirmed that it is being exploited in the wild, it has not provided details about the attack methods or affected threat actors.  The vulnerability notes a recurring challenge for Windows systems: race conditions within kernel operations can provide attackers with direct pathways to full administrative control if not properly mitigated. Patching this CVE should therefore be a top priority for enterprise and government environments. 

Other High-Severity CVEs and Products Affected 

Beyond the zero-day, four additional vulnerabilities have been classified as Critical. These include remote code execution vulnerabilities in components like Microsoft Office and Visual Studio, which could allow attackers to execute malicious code if users open specially crafted files or interact with compromised projects. 

• CVE-2025-62199: A critical RCE vulnerability in Microsoft Office that can trigger upon viewing or opening a malicious document. This flaw is particularly dangerous because it can be exploited through the Outlook Preview Pane, requiring no additional user interaction. 
• CVE-2025-60724: A heap-based buffer overflow in the Microsoft Graphics Component (GDI+) that could potentially allow remote code execution across multiple applications. 
• CVE-2025-62214: A Visual Studio CoPilot Chat extension flaw enabling remote code execution through a complex multi-stage exploitation chain involving prompt injection and build triggering. 
• CVE-2025-59499: An elevation of privilege issue in Microsoft SQL Server that enables attackers to execute arbitrary Transact-SQL commands with elevated permissions. 

The November Patch Tuesday also covers vulnerabilities across a variety of Microsoft services, including Azure Monitor Agent, Windows DirectX, Windows OLE, Dynamics 365, OneDrive for Android, and several networking components such as WinSock and RRAS (Routing and Remote Access Service).  While five of these vulnerabilities are rated “Critical,” most are considered “Important,” reflecting Microsoft’s evaluation of exploitation complexity and impact. Nonetheless, even lower-rated CVEs can pose severe threats when combined with social engineering or used in chained attacks. 

Windows 11 Updates and Lifecycle Changes 

Alongside security fixes, the November 2025 Windows 11 Patch Tuesday (build 26200.7121, update KB5068861) introduces new features and UI enhancements. These include a redesigned Start menu that allows more app pinning, a customizable “All Apps” view, and visual changes to the Taskbar’s battery icon, which can now display color indicators and percentage values.  The update also resolves several performance and stability issues, such as Task Manager continuing to run in the background after closure, and connectivity problems in certain gaming handheld devices. Storage reliability, HTTP request parsing, and voice access setup have also been improved.  Additionally, this update coincides with the end of support for Windows 11 Home and Pro version 23H2, making a small but notable shift in Microsoft’s lifecycle policy. Users running older CPUs that lack support for the new instruction sets required by Windows 11 24H2 may need to consider hardware upgrades or extended support programs. 

The Importance of Prompt Patching 

November’s updates, though fewer in number, address several vulnerabilities with serious potential consequences if left unpatched. Administrators are urged to prioritize systems exposed to the internet or running affected components, especially those related to the Windows Kernel, Microsoft Office, and Visual Studio.  With one confirmed exploited zero-day and multiple critical RCE vulnerabilities, Microsoft Patch Tuesday for November 2025 serves as a reminder that timely patch deployment remains one of the most effective defenses against cyber threats. Organizations should also monitor system logs and intrusion detection systems for signs of exploitation and ensure that legacy or unsupported devices receive compensating controls.  The November Patch Tuesday highlights the nature of vulnerabilities that can harm even the most protected systems. With an actively exploited zero-day and several critical vulnerabilities addressed, timely patching remains essential for reducing cyber risk.  To strengthen defenses beyond standard patch cycles, organizations can leverage Cyble’s Vulnerability Management platform. Cyble continuously monitors emerging exploits and zero-day vulnerabilities, providing in-depth intelligence that helps teams prioritize patching by risk level and uncover issues not listed even in the most popular databases. Its insights into exploitation methods, dark web chatter, and mitigation options enable proactive threat prevention. Want to find vulnerabilities before threat actors do?   Schedule a personalized demo today and see how Cyble can enhance your organization’s security posture.