A giant end to 2025 in December’s Patch Tuesday – Sophos Information

Microsoft on Tuesday launched 56 patches affecting 10 product households. Two of the addressed points are thought of by Microsoft to be of Crucial severity – and, unusually, each belong to the blended Workplace-365 product household. Eight have a CVSS base rating of 8.0 or greater. One is understood to be beneath energetic exploit within the wild, and two others are publicly disclosed.

That’s the excellent news. We’ll get to the advisories in a second.

At patch time, six CVEs are judged extra more likely to be exploited within the subsequent 30 days by the corporate’s estimation, along with the one already detected to be so. Varied of this month’s points are amenable to direct detection by Sophos protections, and we embody data on these in a desk beneath.

The discharge additionally consists of data on 14 Edge patches launched final week, in addition to 12 ColdFusion and 4 Adobe Reader patches launched right now. (The only real Edge patch originating with Microsoft is counted on this complete slightly within the basic Patch Tuesday rely of 56; the remaining originated with Chromium itself and have been patched earlier within the month.) We’ve included data on all these patches in Appendix D. There is no such thing as a replace to the Servicing Stack listed in Microsoft’s manifest this month.

Microsoft additionally launched data on 84 CVEs affecting CBL Mariner and/or Azure Linux. All 84 CVEs originated with MITRE and have been addressed over the course of the previous week, and all 84 are indicated as exploited in within the wild (although none are marked as publicly disclosed). Little data was made out there on these 84 CVEs, however we’ve supplied some steering in Appendix F on the finish of the publish.

We’re as all the time together with on the finish of this publish appendices itemizing all Microsoft’s patches sorted by severity (Appendix A), by predicted exploitability timeline and CVSS Base rating (Appendix B), and by product household (Appendix C). Appendix E offers a breakout of the patches affecting the assorted Home windows Server platforms.

By the numbers

• Complete CVEs: 56
• Publicly disclosed: 2
• Exploit detected: 1
• Severity
  • Crucial: 2
  • Essential: 54
• Impression
  • Denial of Service: 3
  • Elevation of Privilege: 28
  • Data Disclosure: 4
  • Distant Code Execution: 19
  • Spoofing: 2
• CVSS Base rating 9.0 or better: 0
• CVSS Base rating 8.0 or better: 8

Determine 1: Elevation of Privilege points have been probably the most quite a few within the December assortment, as soon as once more

Merchandise

• Home windows: 38
• 365: 13
• Workplace: 13
• Excel: 6
• SharePoint: 5
• Phrase: 4
• Change: 2
• Entry: 1
• Azure: 1
• GitHub: 1

As is our customized for this record, CVEs that apply to a couple of product household are counted as soon as for every household they have an effect on. We notice, by the best way, that CVE names don’t all the time replicate affected product households carefully. Specifically, some CVEs names within the Workplace household might point out merchandise that don’t seem within the record of merchandise affected by the CVE, and vice versa.

Determine 2: A smaller, closely end-user-oriented group of product households acquired patches this month. Although Home windows accounts for half of them, patches associated to the working system are all Essential in severity

Notable December updates

Along with the problems mentioned above, a number of particular objects benefit consideration.

CVE-2025-62554 — Microsoft Workplace Distant Code Execution Vulnerability
CVE-2025-62555 — Microsoft Phrase Distant Code Execution Vulnerability
CVE-2025-62557 — Microsoft Workplace Distant Code Execution Vulnerability
CVE-2025-62558 — Microsoft Phrase Distant Code Execution Vulnerability
CVE-2025-62559 — Microsoft Phrase Distant Code Execution Vulnerability
CVE-2025-62560 — Microsoft Excel Distant Code Execution Vulnerability
CVE-2025-62561 — Microsoft Excel Distant Code Execution Vulnerability

All seven of those RCE points have an effect on a number of variations of 365 and Workplace, together with Microsoft Workplace LTSC for Mac 2021 and 2024. Nonetheless, the patches for these Mac variations aren’t prepared but. Customers liable for updating Macs are requested to watch the CVE data for every vulnerability for additional phrase on these patches. Of the seven, pay particular consideration to CVE-2025-62554 and CVE-2025-62257 (the 2 merely referred to as “Workplace” vulnerabilities) – they’re those which Preview Pane is an assault vector. These two CVEs are Crucial-severity and have a CVSS Base rating of 8.4. The others are Essential-severity.

CVE-2025-54100 — PowerShell Distant Code Execution Vulnerability

As with the 84 Mariner vulnerabilities talked about above, the discharge of this patch arrived with much less data than Microsoft-issued CVEs typically do. That mentioned, this Essential-class subject is allotted to Home windows; as with the GitHub subject mentioned beneath, it includes improper neutralization of particular components utilized in a command. For this one, Microsoft notes that after set up, customers trying to deploy the Invoke-WebRequest command will get a brand new affirmation immediate warning them of probably undesirable script code execution and recommending that they embody the -UseBasicParsing change to maintain issues behaving properly.

CVE-2025-64666 — Microsoft Change Server Elevation of Privilege Vulnerability
CVE-2025-64667 — Microsoft Change Server Spoofing Vulnerability

These two Essential-severity bugs each have an effect on Change Server 2016 and 2019, that are out-of-support variations of Change – except you’re paying for Microsoft’s Prolonged Safety Replace (ESU) program, you’re not getting these patches. (Change Server Subscription Version subscribers are coated.) The EoP is a reasonably specialised merchandise that may require the attacker to arrange the goal setting forward of time, whereas the Spoofing bug impacts, particularly, how From: addresses are exhibited to the consumer.

CVE-2025-64671 — GitHub Copilot for Jetbrains Distant Code Execution Vulnerability

The one publicly disclosed vulnerability to date this month permits the Jetbrain AI-based coding assistant to spoil the vibe-coding vibe, because of improper neutralization of particular components utilized in a command. Based on Microsoft, an attacker may execute extra instructions by appending them to instructions allowed within the consumer’s terminal auto-approve setting. This vulnerability is credited to impartial researcher Ari Marzouk, who simply final weekend posted evaluation of a probably full of life new class of vulnerabilities in AI IDEs. An intriguing learn.

Determine 3: The 12 months wrapped up with Elevation of Privilege and Distant Code Execution swapping spots on the prime of the charts. Be aware, although, that despite the fact that there have been fewer RCE bugs squashed this 12 months, there was the next share of Crucial-severity RCEs. Total there have been 92 Crucial-severity CVEs deal with in 2025 in comparison with 55 final 12 months.

Determine 4: Behold the ultimate (one hopes) 2025 tally: In the long run, it was probably the most patch-heavy 12 months (1196 excluding out-of-band patch releases) since 2020 (1245 patches excluding out-of-bands), with two record-breaking months in January and October.

Sophos protections

As you possibly can each month, in case you don’t wish to wait on your system to tug down Microsoft’s updates itself, you possibly can obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe instrument to find out which construct of Home windows you’re operating, then obtain the Cumulative Replace bundle on your particular system’s structure and construct quantity.

Appendix A: Vulnerability Impression and Severity

It is a record of December patches sorted by affect, then sub-sorted by severity. Every record is additional organized by CVE.

Elevation of Privilege (28 CVEs)

Distant Code Execution (19 CVEs)

Data Disclosure (4 CVEs)

Denial of Service (3 CVEs)

Spoofing (2 CVEs)

Appendix B: Exploitability and CVSS

It is a record of the December CVEs judged by Microsoft to be extra more likely to be exploited within the wild throughout the first 30 days post-release. The record is organized by CVE.

The CVE listed beneath was identified to be beneath energetic exploit previous to the discharge of this month’s patches.

These are the December CVEs with a Microsoft-assessed CVSS Base rating of 8.0 or greater. They’re organized by rating and additional sorted by CVE. For extra data on how CVSS works, please see our sequence on patch prioritization schema.

Appendix C: Merchandise Affected

It is a record of December’s patches sorted by product household, then sub-sorted by severity. Every record is additional organized by CVE. Patches which are shared amongst a number of product households are listed a number of occasions, as soon as for every product household. Sure points for which advisories have been issued are coated in Appendix D, and points affecting Home windows Server are additional sorted in Appendix E. All CVE titles are correct as made out there by Microsoft; for additional data on why sure merchandise might seem in titles and never product households (or vice versa), please seek the advice of Microsoft.

Home windows (38 CVEs)

365 (13 CVEs)

Workplace (13 CVEs)

Excel (6 CVEs)

SharePoint (5 CVEs)

Phrase (4 CVEs)

Change (2 CVEs)

Entry (1 CVE)

Azure (1 CVE)

GitHub (1 CVE)

Appendix D: Advisories and Different Merchandise

There are 14 Edge-related advisories famous in December’s launch. All however CVE-2025-62223 originated with Chrome. All have been patched in the course of the earlier week. Please notice that the Microsoft-issued CVE applies solely to Edge for Mac.

Adobe is releasing patches for 12 ColdFusion points right now with Bulletin APSB25-105. All 12 CVEs have an effect on ColdFusion 22, 16, 4 and earlier variations.

Adobe can be releasing patches for 4 Adobe Reader points right now with Bulletin APSB25-119. All 4 CVEs have an effect on Reader variations 25.001.20982, 25.001.20668, 24.001.30273, 20.005.30793, 20.005.30803 and earlier.

For data on the Mariner releases, please scroll to Appendix F.

Appendix E: Affected Home windows Server variations

It is a desk of the 38 CVEs within the December launch affecting Home windows Server variations 2008 by 2025. The desk differentiates amongst main variations of the platform however doesn’t go into deeper element (eg., Server Core). An “x” signifies that the CVE doesn’t apply to that model. Directors are inspired to make use of this appendix as a place to begin to determine their particular publicity, as every reader’s scenario, particularly because it issues merchandise out of mainstream help, will differ. For particular Information Base numbers, please seek the advice of Microsoft.

Appendix F: CBL Mariner / Azure Linux

The next desk offers data on 84 CVEs referring to CBL Mariner and / or Azure Linux. All 84 are listed by Microsoft as beneath exploit within the wild. That mentioned, 5 of them even have CVSS Base numbers over 8.5, and we point out these in purple for these needing to prioritize. The CVEs are grouped by severity and additional ordered by CVE.