All new patches will be approved in our patch policy.

 

December is a light month with only 56 patches with 1 zero-day CVE-2025-62221. Overall, in 2025 Microsoft released patches to address 1,275 CVEs. That’s about 12% more than in 2024 and only the third time ever we’ve seen over 1,000 in one year. 2020 still holds the record with about 100 more.

• Actively exploited CVE-2025-62221 is a use-after-free privilege escalation vulnerability in Windows Cloud Files Mini Filter Driver. An authorized attacker could elevate privileges locally and obtain SYSTEM permissions.
• The remaining Critical patches are CVE-2025-62554 and CVE-2025-62557. These are vulnerabilities Microsoft Office, and both could allow an unauthorized attacker to execute code locally. The Preview Pane is an attack vector.
• The two other Disclosed vulnerabilities are CVE-2025-54100 and CVE-2025-64671. CVE-2025-54100 is a PowerShell vulnerability that could cause scripts embedded in a webpage to be executed, allowing an unauthorized attacker to execute code locally. Admins must take additional steps to be fully protected. (See “Notable CVEs” below.)
• CVE-2025-64671 is a remote code execution flaw in the Github Copilot Plugin for Jetbrains AI-based coding assistant which could allow an unauthorized attacker to execute code locally. We will likely see more AI bugs like this in 2026.
• No new Security Advisories this month.

 

Disclosed: CVE-2025-54100, CVE-2025-64671

Exploited: CVE-2025-62221

 

Security Update Guide

https://msrc.microsoft.com/update-guide/en-us

 

Known Issues

Windows 11 and Server 2025 the password icon may be missing from sign-in options on the lock screen.

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

“Password icon might be missing or invisible in the lock screen sign-in options”

https://support.microsoft.com/en-us/topic/december-9-2025-kb5072033-os-builds-26200-7462-and-26100-7462-0c1a4334-19ba-406d-bb1e-88fcffc87b79

Affected platforms: Windows 11 24H2/25H2, Server 2025 (KB5072033)

Symptom: After installing the August 2025 non-security preview update (KB5064081) or later updates, you might notice that the password icon is not visible in the sign-in options on the lock screen. If you hover over the space where the icon should appear, you’ll see that the password button is still available. Select this placeholder to open the password text box and enter your password. After entering your password, you can sign in normally. Individuals using Windows Home or Pro editions on personal devices are very unlikely to experience this issue. This issue primarily affects enterprise or managed IT environments.

Workaround: This issue is mitigated using Known Issue Rollback (KIR). For enterprise-managed devices managed by IT departments that have installed the affected update and encountered this issue, IT administrators can resolve it by installing and configuring the Group policy listed below. The special Group Policy can be found in Computer Configuration > Administrative Templates > .

For information on deploying and configuring these special Group Policy, please see How to use Group Policy to deploy a Known Issue Rollback.

Group Policy downloads with Group Policy name:

• Download for Windows 11 version 24H2, Windows 11 version 25H2: Windows 11 24H2, Windows 11 25H2 and Windows Server 2025 KB5072033 251202_18051 Known Issue Rollback

Important: You will need to install and configure the Group Policy for your version of Windows to resolve this issue. You will also need to restart your device(s) to apply the group policy setting. Note that the Group Policy will temporarily disable the change causing this issue.

Status: We are working on a resolution in a future Windows update and will provide more information when it is available.

 

Good resource for known issues with Windows 10/11/Server patches. Find the version and click on “Known issues”.

Windows release health

https://docs.microsoft.com/en-us/windows/release-health/

 

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022,2025 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

• KB5071503 – Windows Server 2012 R2 (ESU)
• KB5071505 – Windows Server 2012 (ESU)

 

Cumulative Updates

Windows 10

• KB5071546 – Version 21H2 “November 2021 Update” (OS Build 19044) (ESU)
• KB5071546 – Version 22H2 “November 2022 Update” (OS Build 19045) (ESU)

(Versions 1507,1511,1607,1703,1709,1803,1809,1903,1909,2004,20H2,21H1 are no longer under support)

 

Windows 11

• KB5071417 – 23H2 (OS Build 22631)
• KB5072033 – 24H2 (OS Build 26100)
• KB5072033 – 25H2 (OS Build 26200)

(Version 21H2,22H2 are no longer under support)

 

Windows Server

• KB5071543 – Server 2016 (EOS January 2027)
• KB5071544 – Server 2019 (EOS January 2029)
• KB5071547 – Server 2022 (OS Build 20348)
• KB5071542 – Server 23H2 (OS Build 25398)
• KB5072033 – Server 2025 (OS Build 26100)

 

December 2025 updates for Microsoft Office

https://support.microsoft.com/en-us/topic/december-2025-updates-for-microsoft-office-0d6a50d3-c17e-43f9-b807-3f1f22b079b9

 

Notable CVEs

 

CVE-2025-54100 | PowerShell Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54100

Improper neutralization of special elements used in a command (‘command injection’) in Windows PowerShell allows an unauthorized attacker to execute code locally. The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

Additional steps required. See: PowerShell 5.1: Preventing script execution from web content

 

CVE-2025-62221 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup/Hotpatch)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62221

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

 

CVE-2025-62557 | Microsoft Office Remote Code Execution Vulnerability (KB5002802,KB5002804,KB5002806,KB5002816,KB5002821,/Click to Run)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-62557

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. The Preview Pane is an attack vector.

 

CVE-2025-62562 | Microsoft Outlook Remote Code Execution Vulnerability (KB5002819/Click to Run)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62562

Use after free in Microsoft Office Outlook allows an unauthorized attacker to execute code locally. The Preview Pane is not an attack vector.

 

CVE-2025-64671 | GitHub Copilot for Jetbrains Remote Code Execution Vulnerability (Build 1.5.60-243)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-64671

Improper neutralization of special elements used in a command (‘command injection’) in Copilot allows an unauthorized attacker to execute code locally. The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Via a malicious Cross Prompt Inject in untrusted files or MCP servers, an attacker could execute additional commands by appending them to commands allowed in the user’s terminal auto-approve setting.