Microsoft released the December 2025 update for Windows 11 to patch zero-day vulnerabilities.

 

Microsoft released its December 2025 security update (Patch Tuesday) containing a total of 57 updates for Windows 11, including KB5072033 and KB5071417. This update addresses one zero-day vulnerability that has been actively exploited and two publicly disclosed vulnerabilities.

This update includes three critical vulnerabilities, all of which are Remote Code Execution (RCE) vulnerabilities.

Details of the vulnerabilities addressed are as follows:

* Privilege Elevation Vulnerabilities: 28
* Remote Code Execution Vulnerabilities: 19
* Information Disclosure Vulnerabilities: 4
* Denial of Service Vulnerabilities: 3
* Spoofing Vulnerabilities: 2

These figures do not include Microsoft Edge vulnerabilities (15) and Mariner vulnerabilities that were patched earlier in the same month.

Details of Zero-Day Vulnerabilities in December 2025
1. CVE-2025-62221 Windows Cloud Files Mini Filter Driver

This privilege escalation vulnerability stems from a Use-After-Free issue in the Windows Cloud Files Mini Filter Driver, a component used to manage files on cloud services such as OneDrive or other file syncing services. When successfully exploited, an attacker with existing system privileges can escalate to SYSTEM privileges, the highest level of Windows privileges, allowing them to install programs, modify system files, or gain full control of the machine.

Microsoft has confirmed that this vulnerability has been exploited, but has not yet disclosed the attack methods or related campaigns. 1. CVE-2025-64671 GitHub Copilot for JetBrains

This vulnerability is caused by Microsoft's own MSTIC and MSRC teams.

2. CVE-2025-64671 GitHub Copilot for JetBrains

This is a Command Injection vulnerability in the GitHub Copilot version for JetBrains IDEs (e.g., IntelliJ IDEA, PyCharm). Copilot does not properly filter special characters used to execute system commands, allowing attackers to inject malicious commands.

This vulnerability can be exploited through Cross Prompt Injection in untrusted code files and malicious MCP servers. If a victim opens the file or connects to an unsafe source, the attacker's embedded commands can be automatically appended and executed on the user's terminal, especially when the IDE's auto-approve command is enabled.

This vulnerability was disclosed by Ari Marzuk in his research paper "IDEsaster: A Novel Vulnerability Class in AI IDEs".
3. CVE-2025-54100 PowerShell

This vulnerability arises from PowerShell automatically parsing web pages when using the command... The Invoke-WebRequest vulnerability may contain embedded malicious scripts or code that can be unintentionally executed.

The impact is that attackers can embed scripts in web pages. When a victim runs `Invoke-WebRequest <URL>`, PowerShell processes all the content, and the embedded malicious code can immediately run on the victim's machine. Microsoft has therefore added a new warning system and recommends that users add `-UseBasicParsing` to prevent unintentional code execution from web pages.

This vulnerability has been reported by several researchers, including Justin Necke, DeadOverflow, Pēteris Hermanis Osipovs, Melih Kaan Yıldız, and Osman Eren Güneş.

System administrators are advised to update Windows and Microsoft products promptly, especially for zero-day vulnerabilities and remotely exploitable vulnerabilities. They should also monitor updates from other software vendors to mitigate the risk of being attacked by these vulnerabilities.