A giant end to 2025 in December’s Patch Tuesday – Sophos Information

Microsoft on Tuesday launched 56 patches affecting 10 product households. Two of the addressed points are thought-about by Microsoft to be of Essential severity – and, unusually, each belong to the blended Workplace-365 product household. Eight have a CVSS base rating of 8.0 or greater. One is understood to be beneath energetic exploit within the wild, and two others are publicly disclosed.

That’s the excellent news. We’ll get to the advisories in a second.

At patch time, six CVEs are judged extra prone to be exploited within the subsequent 30 days by the corporate’s estimation, along with the one already detected to be so. Varied of this month’s points are amenable to direct detection by Sophos protections, and we embody data on these in a desk beneath.

The discharge additionally contains data on 14 Edge patches launched final week, in addition to 12 ColdFusion and 4 Adobe Reader patches launched in the present day. (The only real Edge patch originating with Microsoft is counted on this complete relatively within the basic Patch Tuesday rely of 56; the remainder originated with Chromium itself and had been patched earlier within the month.) We’ve included data on all these patches in Appendix D. There is no such thing as a replace to the Servicing Stack listed in Microsoft’s manifest this month.

Microsoft additionally launched data on 84 CVEs affecting CBL Mariner and/or Azure Linux. All 84 CVEs originated with MITRE and have been addressed over the course of the previous week, and all 84 are indicated as exploited in within the wild (although none are marked as publicly disclosed). Little data was made obtainable on these 84 CVEs, however we’ve supplied some steerage in Appendix F on the finish of the publish.

We’re as at all times together with on the finish of this publish appendices itemizing all Microsoft’s patches sorted by severity (Appendix A), by predicted exploitability timeline and CVSS Base rating (Appendix B), and by product household (Appendix C). Appendix E gives a breakout of the patches affecting the varied Home windows Server platforms.

By the numbers

• Whole CVEs: 56
• Publicly disclosed: 2
• Exploit detected: 1
• Severity
  • Essential: 2
  • Necessary: 54
• Impression
  • Denial of Service: 3
  • Elevation of Privilege: 28
  • Data Disclosure: 4
  • Distant Code Execution: 19
  • Spoofing: 2
• CVSS Base rating 9.0 or better: 0
• CVSS Base rating 8.0 or better: 8

Determine 1: Elevation of Privilege points had been probably the most quite a few within the December assortment, as soon as once more

Merchandise

• Home windows: 38
• 365: 13
• Workplace: 13
• Excel: 6
• SharePoint: 5
• Phrase: 4
• Alternate: 2
• Entry: 1
• Azure: 1
• GitHub: 1

As is our customized for this record, CVEs that apply to multiple product household are counted as soon as for every household they have an effect on. We notice, by the way in which, that CVE names don’t at all times mirror affected product households carefully. Particularly, some CVEs names within the Workplace household might point out merchandise that don’t seem within the record of merchandise affected by the CVE, and vice versa.

Determine 2: A smaller, closely end-user-oriented group of product households acquired patches this month. Although Home windows accounts for half of them, patches associated to the working system are all Necessary in severity

Notable December updates

Along with the problems mentioned above, a number of particular objects benefit consideration.

CVE-2025-62554 — Microsoft Workplace Distant Code Execution Vulnerability
CVE-2025-62555 — Microsoft Phrase Distant Code Execution Vulnerability
CVE-2025-62557 — Microsoft Workplace Distant Code Execution Vulnerability
CVE-2025-62558 — Microsoft Phrase Distant Code Execution Vulnerability
CVE-2025-62559 — Microsoft Phrase Distant Code Execution Vulnerability
CVE-2025-62560 — Microsoft Excel Distant Code Execution Vulnerability
CVE-2025-62561 — Microsoft Excel Distant Code Execution Vulnerability

All seven of those RCE points have an effect on a number of variations of 365 and Workplace, together with Microsoft Workplace LTSC for Mac 2021 and 2024. Nevertheless, the patches for these Mac variations aren’t prepared but. Customers liable for updating Macs are requested to watch the CVE data for every vulnerability for additional phrase on these patches. Of the seven, pay particular consideration to CVE-2025-62554 and CVE-2025-62257 (the 2 merely known as “Workplace” vulnerabilities) – they’re those which Preview Pane is an assault vector. These two CVEs are Essential-severity and have a CVSS Base rating of 8.4. The others are Necessary-severity.

CVE-2025-54100 — PowerShell Distant Code Execution Vulnerability

As with the 84 Mariner vulnerabilities talked about above, the discharge of this patch arrived with much less data than Microsoft-issued CVEs usually do. That mentioned, this Necessary-class difficulty is allotted to Home windows; as with the GitHub difficulty mentioned beneath, it includes improper neutralization of particular parts utilized in a command. For this one, Microsoft notes that after set up, customers making an attempt to deploy the Invoke-WebRequest command will get a brand new affirmation immediate warning them of doubtless undesirable script code execution and recommending that they embody the -UseBasicParsing swap to maintain issues behaving properly.

CVE-2025-64666 — Microsoft Alternate Server Elevation of Privilege Vulnerability
CVE-2025-64667 — Microsoft Alternate Server Spoofing Vulnerability

These two Necessary-severity bugs each have an effect on Alternate Server 2016 and 2019, that are out-of-support variations of Alternate – except you’re paying for Microsoft’s Prolonged Safety Replace (ESU) program, you’re not getting these patches. (Alternate Server Subscription Version subscribers are coated.) The EoP is a reasonably specialised merchandise that might require the attacker to arrange the goal setting forward of time, whereas the Spoofing bug impacts, particularly, how From: addresses are exhibited to the consumer.

CVE-2025-64671 — GitHub Copilot for Jetbrains Distant Code Execution Vulnerability

The one publicly disclosed vulnerability to this point this month permits the Jetbrain AI-based coding assistant to wreck the vibe-coding vibe, because of improper neutralization of particular parts utilized in a command. Based on Microsoft, an attacker may execute extra instructions by appending them to instructions allowed within the consumer’s terminal auto-approve setting. This vulnerability is credited to unbiased researcher Ari Marzouk, who simply final weekend posted evaluation of a probably energetic new class of vulnerabilities in AI IDEs. An intriguing learn.

Determine 3: The yr wrapped up with Elevation of Privilege and Distant Code Execution swapping spots on the high of the charts. Be aware, although, that although there have been fewer RCE bugs squashed this yr, there was the next share of Essential-severity RCEs. General there have been 92 Essential-severity CVEs handle in 2025 in comparison with 55 final yr.

Determine 4: Behold the ultimate (one hopes) 2025 tally: In the long run, it was probably the most patch-heavy yr (1196 excluding out-of-band patch releases) since 2020 (1245 patches excluding out-of-bands), with two record-breaking months in January and October.

Sophos protections

As you may each month, for those who don’t need to wait in your system to drag down Microsoft’s updates itself, you may obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe device to find out which construct of Home windows you’re working, then obtain the Cumulative Replace bundle in your particular system’s structure and construct quantity.

Appendix A: Vulnerability Impression and Severity

This can be a record of December patches sorted by affect, then sub-sorted by severity. Every record is additional organized by CVE.

Elevation of Privilege (28 CVEs)

Distant Code Execution (19 CVEs)

Data Disclosure (4 CVEs)

Denial of Service (3 CVEs)

Spoofing (2 CVEs)

Appendix B: Exploitability and CVSS

This can be a record of the December CVEs judged by Microsoft to be extra prone to be exploited within the wild inside the first 30 days post-release. The record is organized by CVE.

The CVE listed beneath was recognized to be beneath energetic exploit previous to the discharge of this month’s patches.

These are the December CVEs with a Microsoft-assessed CVSS Base rating of 8.0 or greater. They’re organized by rating and additional sorted by CVE. For extra data on how CVSS works, please see our collection on patch prioritization schema.

Appendix C: Merchandise Affected

This can be a record of December’s patches sorted by product household, then sub-sorted by severity. Every record is additional organized by CVE. Patches which might be shared amongst a number of product households are listed a number of occasions, as soon as for every product household. Sure points for which advisories have been issued are coated in Appendix D, and points affecting Home windows Server are additional sorted in Appendix E. All CVE titles are correct as made obtainable by Microsoft; for additional data on why sure merchandise might seem in titles and never product households (or vice versa), please seek the advice of Microsoft.

Home windows (38 CVEs)

365 (13 CVEs)

Workplace (13 CVEs)

Excel (6 CVEs)

SharePoint (5 CVEs)

Phrase (4 CVEs)

Alternate (2 CVEs)

Entry (1 CVE)

Azure (1 CVE)

GitHub (1 CVE)

Appendix D: Advisories and Different Merchandise

There are 14 Edge-related advisories famous in December’s launch. All however CVE-2025-62223 originated with Chrome. All had been patched throughout the earlier week. Please notice that the Microsoft-issued CVE applies solely to Edge for Mac.

Adobe is releasing patches for 12 ColdFusion points in the present day with Bulletin APSB25-105. All 12 CVEs have an effect on ColdFusion 22, 16, 4 and earlier variations.

Adobe can be releasing patches for 4 Adobe Reader points in the present day with Bulletin APSB25-119. All 4 CVEs have an effect on Reader variations 25.001.20982, 25.001.20668, 24.001.30273, 20.005.30793, 20.005.30803 and earlier.

For data on the Mariner releases, please scroll to Appendix F.

Appendix E: Affected Home windows Server variations

This can be a desk of the 38 CVEs within the December launch affecting Home windows Server variations 2008 by means of 2025. The desk differentiates amongst main variations of the platform however doesn’t go into deeper element (eg., Server Core). An “x” signifies that the CVE doesn’t apply to that model. Directors are inspired to make use of this appendix as a place to begin to establish their particular publicity, as every reader’s state of affairs, particularly because it issues merchandise out of mainstream assist, will range. For particular Information Base numbers, please seek the advice of Microsoft.

Appendix F: CBL Mariner / Azure Linux

The next desk gives data on 84 CVEs referring to CBL Mariner and / or Azure Linux. All 84 are listed by Microsoft as beneath exploit within the wild. That mentioned, 5 of them even have CVSS Base numbers over 8.5, and we point out these in pink for these needing to prioritize. The CVEs are grouped by severity and additional ordered by CVE.