{"id":6139,"date":"2025-12-10T01:19:11","date_gmt":"2025-12-10T01:19:11","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6139"},"modified":"2025-12-10T01:19:11","modified_gmt":"2025-12-10T01:19:11","slug":"december-patch-tuesday-windows-cloud-files-mini-filter-driver-hole-already-being-exploited","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6139","title":{"rendered":"December Patch Tuesday: Windows Cloud Files Mini Filter Driver hole already being exploited"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Microsoft is finishing 2025 by issuing only 57 patches<\/a> for Windows and other products for December Patch Tuesday, but one vulnerability is already being exploited as a zero day and needs to be addressed fast.<\/p>\n

It\u2019s an escalation of privilege vulnerability in Windows Cloud Files Mini Filter Driver (CVE-2025-62221<\/a>), described as a use-after-free problem in which a program tries to use a block of memory that has already been returned to system control. The attack complexity is low. The worst case scenario is that a threat actor could leverage it to escalate access privileges.<\/p>\n

\u201cElevation of privilege bugs turn a foothold into a full breach,\u201d Satnam Narang<\/a>, senior staff research engineer at Tenable, said in an email, \u201cas attackers often use them to conduct post-compromise activity after they have gained initial access through other means, such as social engineering or exploitation of another flaw.<\/p>\n

\u201cWindows Cloud Files Mini Filter Driver is an attractive target because it is a file system driver that enables cloud applications to access file system functionalities,\u201d he added.<\/p>\n

\u00a0Jack Bicer<\/a>, director of vulnerability research at Action1, said patching this vulnerability is \u201cthe most urgent concern\u201d because it is actively being exploited by any attacker who can get any level of local access.<\/p>\n

\u201cActive exploitation means real incidents are already occurring,\u201d he pointed out. \u201cThis vulnerability is likely to be combined with phishing, browser-based attacks, malicious documents, or other initial footholds to achieve full system takeover. The attack potential includes disabling security tooling, accessing sensitive information, moving laterally across the organization\u2019s network, and establishing persistent high-privilege access. Because the impacted driver is widely deployed across enterprise environments, the exposure is broad and the potential operational consequences significant.\u201d<\/p>\n

IT executives should ensure operational teams allocate resources to accelerated patching, enforce least-privilege access controls, and strengthen monitoring for anomalous activity across systems that cannot be patched immediately, he stressed. \u201cA focused, time-bound remediation plan, beginning with actively exploited and RCE vulnerabilities, will provide the greatest reduction in organizational risk and the strongest defense against potential widespread compromise,\u201d he said.<\/p>\n

Unfortunately, said Kevin Breen<\/a>, senior director of cyber threat research at Immersive, Microsoft has not provided any details on how this exploit is being abused or provided any indicators of compromise, making it harder for defenders to start proactive threat hunting.\u00a0<\/p>\n

Holes in Exchange Server<\/h2>\n

Michael Walters<\/a>, president of Action1, drew attention to two vulnerabilities in Microsoft Exchange Server:<\/p>\n

CVE-2025-64666<\/a>, an escalation of privilege (EoP) hole allowed by improper input validation;<\/p>\n

CVE-2025-64667<\/a>, which allows a threat actor to spoof over a network.<\/p>\n

While rated Important and assessed as exploitation Less\/Unlikely, Walters notes that these flaws affect core messaging and identity surfaces, and can become critical when chained, such as by spoofing enabling phishing,\u00a0or EoP facilitating mailbox theft.<\/p>\n

Tyler Reguly<\/a>, associate director of R&D at Fortra, said CSOs should assign priority to two other vulnerabilities that Microsoft rated as critical this month.<\/p>\n

CVE-2025-62557<\/a>, a use after free vulnerability in Microsoft Office that allows an unauthorized attacker to execute code locally;\u00a0<\/p>\n

CVE-2025-62554,<\/a> described as an access of resource using incompatible type (\u2018type confusion\u2019) hole in Microsoft Office that allows an unauthorized attacker to execute code locally.\u00a0<\/p>\n

Because these list the Outlook Preview Pane as an attack vector, they worry Reguly. \u201cI always find that one of the scariest attack vectors that can be listed,\u201d he said. \u201cVulnerabilities that don\u2019t rely on user interaction are vulnerabilities that we want to pay attention to.\u201d<\/p>\n

Copilot hole for those using JetBrains<\/h2>\n

Breen of Immersive also said organizations using GitHub Copilot for the JetBrains application development platform should patch a hole in Copilot promptly, before threat actors find a way to exploit it.\u00a0<\/p>\n

The vulnerability report states that it\u2019s possible to gain the ability for code execution on affected hosts by tricking the LLM into running commands that bypass the guardrails and appending instructions to the user\u2019s \u201cauto-approve\u201d settings, Breen notes. This can be achieved through a Cross Prompt Injection, he said, where the prompt is modified, not by the user, but by the LLM agents as they craft their own prompts based on the content of files or data retrieved from a Model Context Protocol (MCP) server.\u00a0<\/p>\n

Although Microsoft has marked this exploitation as Less Likely, Breen said, CSOs taking a risk-based approach should note that developers typically have access to API keys and secrets that could enable a large attack surface for attackers.\u00a0\u00a0<\/p>\n

SAP vulnerabilities<\/h2>\n

Separately, SAP\u2019s Security Notes for December include four HotNews Notes, two of which are given CVSS scores in the 9s:<\/p>\n

note #3685270 [CVE-2025-42880] patches a code injection vulnerability in SAP Solution Manager. According to researchers at Onapsis<\/a>, a remote-enabled function module could allow an authenticated attacker to inject arbitrary code, leading to a high impact on the confidentiality, integrity, and availability of the system. The vulnerability is patched by adding appropriate input sanitization to the affected function module. Given the central role of SAP Solution Manager in the SAP system landscape, Onapsis strongly recommends that this be patched quickly;<\/p>\n

note #3685286, [CVE-2025-42928], was issued after Onapsis was able to exploit a deserialization vulnerability in the SAP jConnect SDK for Sybase Adaptive Server Enterprise (ASE) to launch remote code execution by providing specially crafted input to the component. \u201cA successful exploit requires high privileges, preventing the vulnerability from being tagged with a CVSS score of 10.0,\u201d Onapsis said;<\/p>\n

note #3683579 affects SAP Commerce Cloud customers. SAP Commerce Cloud uses a version of Apache Tomcat that is vulnerable to\u00a0CVE-2025-55754<\/a>\u00a0and\u00a0CVE-2025-55752<\/a>. This security note, with a CVSS score of 9.6, provides fixes that include a patched version of Apache Tomcat. If\u00a0 unpatched, these flaws put the application\u2019s confidentiality, integrity and availability at high risk, says Onapsis.<\/p>\n

note\u00a0#3668705, tagged with a CVSS score of 9.9, was initially released on SAP\u2019s November Patch Day and patches a Code Injection vulnerability in SAP Solution Manager. This note was updated with additional correction instructions.\u00a0<\/p>\n

Advice for 2026<\/h2>\n

Finally, with this last batch of patches for the year from Microsoft, Fortra\u2019s Tyler Reguly provided some context.<\/p>\n

\u201cIn 2025, Microsoft patched 1275 vulnerabilities,\u201d he said in an email. \u201cWhich should mean roughly 106 vulnerabilities each month, yet December only saw 70 vulnerabilities when you include the third-party CNA vulnerabilities. If all things were equal, December should account for 8.3 % of all CVEs fixed by Microsoft. Instead December only contains 5.5% of this year\u2019s total CVEs. I suppose we can thank Microsoft for an early Christmas gift.\u201d<\/p>\n

\u201cIf I were in charge of all aspects of security for an enterprise, as we wrap up the year and think about 2026 budgets,\u201d he added, \u201cI\u2019d probably be thinking about the two critical Office vulnerabilities that impact the Preview Pane and consider the email protections that I have in place and where I can make investments in 2026 to further improve the email security of my organization. Between \u2018silent attacks\u2019 that utilize the preview pane, phishing, and all the other risks that come to us via email, it is one of the places where organizations can still do more to shore up their security posture and put themselves in a good place.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Microsoft is finishing 2025 by issuing only 57 patches for Windows and other products for December Patch Tuesday, but one vulnerability is already being exploited as a zero day and needs to be addressed fast. It\u2019s an escalation of privilege vulnerability in Windows Cloud Files Mini Filter Driver (CVE-2025-62221), described as a use-after-free problem in […]<\/p>\n","protected":false},"author":0,"featured_media":6140,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6139","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6139"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6139"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6139\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6140"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6139"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6139"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6139"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}