Microsoft is finishing 2025 by issuing only 57 patches for Windows and other products for December Patch Tuesday, but one vulnerability is already being exploited as a zero day and needs to be addressed fast.
It’s an escalation of privilege vulnerability in Windows Cloud Files Mini Filter Driver (CVE-2025-62221), described as a use-after-free problem in which a program tries to use a block of memory that has already been returned to system control. The attack complexity is low. The worst case scenario is that a threat actor could leverage it to escalate access privileges.
“Elevation of privilege bugs turn a foothold into a full breach,” Satnam Narang, senior staff research engineer at Tenable, said in an email, “as attackers often use them to conduct post-compromise activity after they have gained initial access through other means, such as social engineering or exploitation of another flaw.
“Windows Cloud Files Mini Filter Driver is an attractive target because it is a file system driver that enables cloud applications to access file system functionalities,” he added.
Jack Bicer, director of vulnerability research at Action1, said patching this vulnerability is “the most urgent concern” because it is actively being exploited by any attacker who can get any level of local access.
“Active exploitation means real incidents are already occurring,” he pointed out. “This vulnerability is likely to be combined with phishing, browser-based attacks, malicious documents, or other initial footholds to achieve full system takeover. The attack potential includes disabling security tooling, accessing sensitive information, moving laterally across the organization’s network, and establishing persistent high-privilege access. Because the impacted driver is widely deployed across enterprise environments, the exposure is broad and the potential operational consequences significant.”
IT executives should ensure operational teams allocate resources to accelerated patching, enforce least-privilege access controls, and strengthen monitoring for anomalous activity across systems that cannot be patched immediately, he stressed. “A focused, time-bound remediation plan, beginning with actively exploited and RCE vulnerabilities, will provide the greatest reduction in organizational risk and the strongest defense against potential widespread compromise,” he said.
Unfortunately, said Kevin Breen, senior director of cyber threat research at Immersive, Microsoft has not provided any details on how this exploit is being abused or provided any indicators of compromise, making it harder for defenders to start proactive threat hunting.
Holes in Exchange Server
Michael Walters, president of Action1, drew attention to two vulnerabilities in Microsoft Exchange Server:
CVE-2025-64666, an escalation of privilege (EoP) hole allowed by improper input validation;
CVE-2025-64667, which allows a threat actor to spoof over a network.
While rated Important and assessed as exploitation Less/Unlikely, Walters notes that these flaws affect core messaging and identity surfaces, and can become critical when chained, such as by spoofing enabling phishing, or EoP facilitating mailbox theft.
Tyler Reguly, associate director of R&D at Fortra, said CSOs should assign priority to two other vulnerabilities that Microsoft rated as critical this month.
CVE-2025-62557, a use after free vulnerability in Microsoft Office that allows an unauthorized attacker to execute code locally;
CVE-2025-62554, described as an access of resource using incompatible type (‘type confusion’) hole in Microsoft Office that allows an unauthorized attacker to execute code locally.
Because these list the Outlook Preview Pane as an attack vector, they worry Reguly. “I always find that one of the scariest attack vectors that can be listed,” he said. “Vulnerabilities that don’t rely on user interaction are vulnerabilities that we want to pay attention to.”
Copilot hole for those using JetBrains
Breen of Immersive also said organizations using GitHub Copilot for the JetBrains application development platform should patch a hole in Copilot promptly, before threat actors find a way to exploit it.
The vulnerability report states that it’s possible to gain the ability for code execution on affected hosts by tricking the LLM into running commands that bypass the guardrails and appending instructions to the user’s “auto-approve” settings, Breen notes. This can be achieved through a Cross Prompt Injection, he said, where the prompt is modified, not by the user, but by the LLM agents as they craft their own prompts based on the content of files or data retrieved from a Model Context Protocol (MCP) server.
Although Microsoft has marked this exploitation as Less Likely, Breen said, CSOs taking a risk-based approach should note that developers typically have access to API keys and secrets that could enable a large attack surface for attackers.
SAP vulnerabilities
Separately, SAP’s Security Notes for December include four HotNews Notes, two of which are given CVSS scores in the 9s:
note #3685270 [CVE-2025-42880] patches a code injection vulnerability in SAP Solution Manager. According to researchers at Onapsis, a remote-enabled function module could allow an authenticated attacker to inject arbitrary code, leading to a high impact on the confidentiality, integrity, and availability of the system. The vulnerability is patched by adding appropriate input sanitization to the affected function module. Given the central role of SAP Solution Manager in the SAP system landscape, Onapsis strongly recommends that this be patched quickly;
note #3685286, [CVE-2025-42928], was issued after Onapsis was able to exploit a deserialization vulnerability in the SAP jConnect SDK for Sybase Adaptive Server Enterprise (ASE) to launch remote code execution by providing specially crafted input to the component. “A successful exploit requires high privileges, preventing the vulnerability from being tagged with a CVSS score of 10.0,” Onapsis said;
note #3683579 affects SAP Commerce Cloud customers. SAP Commerce Cloud uses a version of Apache Tomcat that is vulnerable to CVE-2025-55754 and CVE-2025-55752. This security note, with a CVSS score of 9.6, provides fixes that include a patched version of Apache Tomcat. If unpatched, these flaws put the application’s confidentiality, integrity and availability at high risk, says Onapsis.
note #3668705, tagged with a CVSS score of 9.9, was initially released on SAP’s November Patch Day and patches a Code Injection vulnerability in SAP Solution Manager. This note was updated with additional correction instructions.
Advice for 2026
Finally, with this last batch of patches for the year from Microsoft, Fortra’s Tyler Reguly provided some context.
“In 2025, Microsoft patched 1275 vulnerabilities,” he said in an email. “Which should mean roughly 106 vulnerabilities each month, yet December only saw 70 vulnerabilities when you include the third-party CNA vulnerabilities. If all things were equal, December should account for 8.3 % of all CVEs fixed by Microsoft. Instead December only contains 5.5% of this year’s total CVEs. I suppose we can thank Microsoft for an early Christmas gift.”
“If I were in charge of all aspects of security for an enterprise, as we wrap up the year and think about 2026 budgets,” he added, “I’d probably be thinking about the two critical Office vulnerabilities that impact the Preview Pane and consider the email protections that I have in place and where I can make investments in 2026 to further improve the email security of my organization. Between ‘silent attacks’ that utilize the preview pane, phishing, and all the other risks that come to us via email, it is one of the places where organizations can still do more to shore up their security posture and put themselves in a good place.”
No Responses