Microsoft's Patch Tuesday release on the previous day addressed 56 freshly identified security issues, bringing the annual total for 2025 to 1,139 resolved flaws. The updates extend to Windows and Office, as well as Azure, Copilot, Defender, Exchange, and PowerShell.
The upcoming major patch cycle is set for January 13, 2026. Below is a detailed overview of the protections applied to Microsoft's range of products and services.
A significant number of these flaws—specifically 38—impact multiple editions of Windows, including versions 10, 11, and Server that continue to receive security support from Microsoft.
Even after its official support concluded in October, Windows 10 remains listed among the impacted systems. This contrasts with the handling of Windows 7, which did not receive similar treatment under the Extended Security Updates initiative.
The vulnerability identified as CVE-2025-62221 represents a severe Elevation of Privilege issue within the cloud file mini-filter driver and is currently under active exploitation by threat actors. Attackers could leverage this use-after-free defect, paired with a Remote Code Execution flaw—several of which exist—to run malicious code at the system privilege level. Every currently supported Windows edition faces this risk.
Microsoft also remedied two additional instances of this vulnerability type through CVE-2025-62454 and CVE-2025-62457, though these have not seen exploitation in practice.
While no Windows issues earned a critical rating this month, the company tackled several that pose substantial threats. Among them are an Elevation of Privilege flaw and two Denial of Service vulnerabilities in the DirectX graphics foundation. Additionally, CVE-2025-54100 resolved a Remote Code Execution problem in PowerShell that had prior public disclosure. The Routing and Remote Access Service features three new security holes, one being the Remote Code Execution vulnerability CVE-2025-62549.
Two vulnerabilities in the Office suite have been deemed critical by Microsoft, with one actively targeted by attackers according to the company. Information on the remaining Office flaws is limited and not easily located in the Security Update Guide.
In total, Microsoft repaired 15 security problems across its Office applications, encompassing 14 Remote Code Execution vulnerabilities. The company rated two of these—CVE-2025-62554 and CVE-2025-62557—as critical, exploiting the preview pane as an entry point. This allows attacks to succeed merely by previewing a malicious file, without requiring full opening by the user.
The rest of the Office vulnerabilities fall into the high-severity category, necessitating that users open a specially crafted document for exploitation, often described as an 'open to own' scenario. Distribution includes six affecting Excel, three in Word, and one each in Outlook and Access.
For Exchange Server, Microsoft addressed two flaws. CVE-2025-64666 is an Elevation of Privilege vulnerability discovered and reported by the NSA. The other, CVE-2025-64667, involves spoofing.
Users of Exchange Server 2016 or 2019 might still lack full protection following these patches, given that their final regular updates arrived in October. However, an Extended Security Updates program for Exchange provides coverage for six months, extending through the April 2026 Patch Tuesday.
The most recent Edge browser update, version 143.0.3650.66, launched on December 4 and incorporates Chromium 143.0.7499.41. It resolves multiple Chromium-related issues and includes a fix for a browser-specific problem, CVE-2025-62223.
This piece was first published on our affiliated outlet PC-WELT and adapted from its original German version.
Since 2005, Frank Ziemann has contributed as a freelance writer to PC-WELT, focusing on news and reviews. His expertise covers IT security topics like malware, antivirus solutions, and vulnerabilities, alongside internet technologies.