A big finish to 2025 in December’s Patch Tuesday

Microsoft on Tuesday released 56 patches affecting 10 product families. Two of the addressed issues are considered by Microsoft to be of Critical severity – and, unusually, both belong to the blended Office-365 product family. Eight have a CVSS base score of 8.0 or higher. One is known to be under active exploit in the wild, and two others are publicly disclosed.

That’s the good news. We’ll get to the advisories in a moment.

At patch time, six CVEs are judged more likely to be exploited in the next 30 days by the company’s estimation, in addition to the one already detected to be so. Various of this month’s issues are amenable to direct detection by Sophos protections, and we include information on those in a table below.

The release also includes information on 14 Edge patches released last week, as well as 12 ColdFusion and four Adobe Reader patches released today. (The sole Edge patch originating with Microsoft is counted in this total rather in the general Patch Tuesday count of 56; the rest originated with Chromium itself and were patched earlier in the month.) We have included information on all those patches in Appendix D. There is no update to the Servicing Stack listed in Microsoft’s manifest this month.

Microsoft also released information on 84 CVEs affecting CBL Mariner and/or Azure Linux. All 84 CVEs originated with MITRE and have been addressed over the course of the past week, and all 84 are indicated as exploited in in the wild (though none are marked as publicly disclosed). Little information was made available on these 84 CVEs, but we’ve provided some guidance in Appendix F at the end of the post.

We are as always including at the end of this post appendices listing all Microsoft’s patches sorted by severity (Appendix A), by predicted exploitability timeline and CVSS Base score (Appendix B), and by product family (Appendix C). Appendix E provides a breakout of the patches affecting the various Windows Server platforms.

By the numbers

• Total CVEs: 56
• Publicly disclosed: 2
• Exploit detected: 1
• Severity
  • Critical: 2
  • Important: 54
• Impact
  • Denial of Service: 3
  • Elevation of Privilege: 28
  • Information Disclosure: 4
  • Remote Code Execution: 19
  • Spoofing: 2
• CVSS Base score 9.0 or greater: 0
• CVSS Base score 8.0 or greater: 8

Figure 1: Elevation of Privilege issues were the most numerous in the December collection, once again

Products

• Windows: 38
• 365: 13
• Office: 13
• Excel: 6
• SharePoint: 5
• Word: 4
• Exchange: 2
• Access: 1
• Azure: 1
• GitHub: 1

As is our custom for this list, CVEs that apply to more than one product family are counted once for each family they affect. We note, by the way, that CVE names don’t always reflect affected product families closely. In particular, some CVEs names in the Office family may mention products that don’t appear in the list of products affected by the CVE, and vice versa.

Figure 2: A smaller, heavily end-user-oriented group of product families received patches this month. Though Windows accounts for half of them, patches related to the operating system are all Important in severity

Notable December updates

In addition to the issues discussed above, several specific items merit attention.

CVE-2025-62554 — Microsoft Office Remote Code Execution Vulnerability
CVE-2025-62555 — Microsoft Word Remote Code Execution Vulnerability
CVE-2025-62557 — Microsoft Office Remote Code Execution Vulnerability
CVE-2025-62558 — Microsoft Word Remote Code Execution Vulnerability
CVE-2025-62559 — Microsoft Word Remote Code Execution Vulnerability
CVE-2025-62560 — Microsoft Excel Remote Code Execution Vulnerability
CVE-2025-62561 — Microsoft Excel Remote Code Execution Vulnerability

All seven of these RCE issues affect multiple versions of 365 and Office, including Microsoft Office LTSC for Mac 2021 and 2024. However, the patches for those Mac versions aren’t ready yet. Users responsible for updating Macs are asked to monitor the CVE information for each vulnerability for further word on those patches. Of the seven, pay special attention to CVE-2025-62554 and CVE-2025-62257 (the two simply called “Office” vulnerabilities) – they’re the ones which Preview Pane is an attack vector. Those two CVEs are Critical-severity and have a CVSS Base score of 8.4. The others are Important-severity.

CVE-2025-54100 — PowerShell Remote Code Execution Vulnerability

As with the 84 Mariner vulnerabilities mentioned above, the release of this patch arrived with less information than Microsoft-issued CVEs generally do. That said, this Important-class issue is allotted to Windows; as with the GitHub issue discussed below, it involves improper neutralization of special elements used in a command. For this one, Microsoft notes that after installation, users attempting to deploy the Invoke-WebRequest command will get a new confirmation prompt warning them of potentially unwanted script code execution and recommending that they include the -UseBasicParsing switch to keep things behaving nicely.

CVE-2025-64666 — Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2025-64667 — Microsoft Exchange Server Spoofing Vulnerability

These two Important-severity bugs both affect Exchange Server 2016 and 2019, which are out-of-support versions of Exchange – unless you’re paying for Microsoft’s Extended Security Update (ESU) program, you’re not getting these patches. (Exchange Server Subscription Edition subscribers are covered.) The EoP is a fairly specialized item that would require the attacker to prepare the target environment ahead of time, while the Spoofing bug affects, specifically, how From: addresses are displayed to the user.

CVE-2025-64671 — GitHub Copilot for Jetbrains Remote Code Execution Vulnerability

The only publicly disclosed vulnerability so far this month allows the Jetbrain AI-based coding assistant to ruin the vibe-coding vibe, thanks to improper neutralization of special elements used in a command. According to Microsoft, an attacker could execute additional commands by appending them to commands allowed in the user’s terminal auto-approve setting. This vulnerability is credited to independent researcher Ari Marzouk, who just last weekend posted analysis of a potentially lively new class of vulnerabilities in AI IDEs. An intriguing read.

Figure 3: The year wrapped up with Elevation of Privilege and Remote Code Execution swapping spots at the top of the charts. Note, though, that even though there were fewer RCE bugs squashed this year, there was a higher percentage of Critical-severity RCEs. Overall there were 92 Critical-severity CVEs address in 2025 compared to 55 last year.

Figure 4: Behold the final (one hopes) 2025 tally: In the end, it was the most patch-heavy year (1196 excluding out-of-band patch releases) since 2020 (1245 patches excluding out-of-bands), with two record-breaking months in January and October.

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of December patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Elevation of Privilege (28 CVEs)

Remote Code Execution (19 CVEs)

Information Disclosure (4 CVEs)

Denial of Service (3 CVEs)

Spoofing (2 CVEs)

Appendix B: Exploitability and CVSS

This is a list of the December CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release. The list is arranged by CVE.

The CVE listed below was known to be under active exploit prior to the release of this month’s patches.

These are the December CVEs with a Microsoft-assessed CVSS Base score of 8.0 or higher. They are arranged by score and further sorted by CVE. For more information on how CVSS works, please see our series on patch prioritization schema.

Appendix C: Products Affected

This is a list of December’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family. Certain issues for which advisories have been issued are covered in Appendix D, and issues affecting Windows Server are further sorted in Appendix E. All CVE titles are accurate as made available by Microsoft; for further information on why certain products may appear in titles and not product families (or vice versa), please consult Microsoft.

Windows (38 CVEs)

365 (13 CVEs)

Office (13 CVEs)

Excel (6 CVEs)

SharePoint (5 CVEs)

Word (4 CVEs)

Exchange (2 CVEs)

Access (1 CVE)

Azure (1 CVE)

GitHub (1 CVE)

Appendix D: Advisories and Other Products

There are 14 Edge-related advisories noted in December’s release. All but CVE-2025-62223 originated with Chrome. All were patched during the previous week. Please note that the Microsoft-issued CVE applies only to Edge for Mac.

Adobe is releasing patches for 12 ColdFusion issues today with Bulletin APSB25-105. All 12 CVEs affect ColdFusion 22, 16, 4 and earlier versions.

Adobe is also releasing patches for four Adobe Reader issues today with Bulletin APSB25-119. All four CVEs affect Reader versions 25.001.20982, 25.001.20668, 24.001.30273, 20.005.30793, 20.005.30803 and earlier.

For information on the Mariner releases, please scroll to Appendix F.

Appendix E: Affected Windows Server versions

This is a table of the 38 CVEs in the December release affecting Windows Server versions 2008 through 2025. The table differentiates among major versions of the platform but doesn’t go into deeper detail (eg., Server Core). An “x” indicates that the CVE does not apply to that version. Administrators are encouraged to use this appendix as a starting point to ascertain their specific exposure, as each reader’s situation, especially as it concerns products out of mainstream support, will vary. For specific Knowledge Base numbers, please consult Microsoft.

Appendix F: CBL Mariner / Azure Linux

The following table provides information on 84 CVEs relating to CBL Mariner and / or Azure Linux. All 84 are listed by Microsoft as under exploit in the wild. That said, five of them also have CVSS Base numbers over 8.5, and we indicate those in red for those needing to prioritize. The CVEs are grouped by severity and further ordered by CVE.