Here we are at the final Patch Tuesday for 2025. Microsoft has resolved 56 CVEs (two Critical and 54 Important). Included in this release is one known exploited (CVE-2025-62221) and two publicly disclosed CVEs (CVE-2025-54100 and CVE-2025-64671). This month’s OS update resolves the exploit (CVE-2025-62221) and one of the public disclosures (CVE-2025-54100), making the Windows OS a top priority this month. The other public disclosure is in GitHub Copilot for Jetbrains (CVE-2025-64671), which would require developers to download and update the GitHub Copilot plugin.   

Third-party updates this Patch Tuesday include multiple releases from Mozilla for Firefox 146 and Firefox ESR 115.31 and 140.6. Adobe released five updates to resolve 142 CVEs including an update for Adobe Acrobat and Reader. Four of five updates are rated as Priority Three, but the Adobe ColdFusion update is rated Priority One. There are no known exploits, but the ColdFusion update resolves the bulk of the CVEs resolved by Adobe this month. 

Microsoft’s exploited vulnerability 

Microsoft has resolved an Elevation of Privilege vulnerability in Cloud Files Mini Filter Driver (CVE-2025-62221). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8 but is confirmed to be exploited in the wild. An attacker who successfully exploits this CVE could gain SYSTEM privileges. The CVE affects Windows 10 and later Windows editions. A risk-based prioritization approach would prioritize this CVE as Critical.  

Microsoft’s publicly disclosed vulnerabilities 

Microsoft has resolved a Remote Code Execution vulnerability in PowerShell (CVE-2025-54100). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8 but has been publicly disclosed. The fix provides a warning and guidance to avoid the potential remote code execution, but the nature of the exposure makes it improbable to fully remediate. The Invoke-WebRequest command can parse the contents of a web page and could potentially run script code in the web page when it is parsed. A warning is presented recommending the use of the -UseBasicParsing switch to avoid script code execution. The CVE affects Server 2008 and later Windows editions.  

Microsoft has resolved a Remote Code Execution vulnerability in GitHub Copilot for Jetbrains (CVE-2025-64671). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.4 but has been publicly disclosed. An attacker could exploit code using a malicious Cross Prompt Inject in untrusted files or MCP servers, allowing the execution of additional commands by appending them to commands allowed in the user’s terminal auto-approve setting.  

Ivanti security advisories 

Ivanti has released one security update this month. The update affects Ivanti Endpoint Manager and resolves four vulnerabilities. More details and information about mitigations can be found in the December Security Advisory

Third-party vulnerabilities  

Mozilla has released updates for Firefox and Firefox ESR resolving a total of 27 CVEs. All three updates have an Impact rating of High.  

Adobe released five updates this month affecting ColdFusion, Experience Manager, DNG SDK, Acrobat and Reader and Creative Cloud Desktop. ColdFusion is a Priority One and resolves the majority of the 142 CVEs. The other four updates are rated Priority Three.   

December update priorities 

The Windows OS update is the priority this month to resolve CVE-2025-62221

All other updates can be resolved under normal SLA priorities.