10. Dezember 2025
Microsoft on Tuesday announced patches for 57 vulnerabilities as part of its December 2025 security updates. Three of the bugs are zero-days, but only one is under active exploitation.
The exploited zero-day, tracked as CVE-2025-62221 (CVSS score of 7.8), is described as a use-after-free issue in the Windows Cloud Files Mini Filter Driver.
According to Microsoft, the successful exploitation of the security defect could allow attackers to elevate their privileges to System on Windows devices.
The company notes that it is aware of this vulnerability being exploited in the wild, but has not shared details on the observed attacks.
A second flaw resolved in the Cloud Files Mini Filter Driver, tracked as CVE-2025-62454 (CVSS score of 7.8) and leading to privilege escalation, is also likely to be exploited in attacks, the tech giant warns.
Microsoft’s December 2025 Patch Tuesday updates also draw attention to two command injections leading to remote code execution, patched in Copilot for Jetbrains (CVE-2025-64671) and PowerShell (CVE-2025-54100).
Both issues have been publicly disclosed before patches were released, but are less likely to be exploited in attacks, the company says. However, proof-of-concept (PoC) exists for CVE-2025-64671.
Microsoft’s fresh updates also address 13 vulnerabilities in the Office suite, including two marked as ‘critical’, although they have a CVSS score of 8.4, making them high-severity issues.
The two flaws, tracked as CVE-2025-62554 and CVE-2025-62557, are described as type confusion and use-after-free bugs that could allow remote attackers to execute arbitrary code.
According to Microsoft, threat actors could exploit the vulnerabilities using social engineering to convince users to click on malicious links. In both cases, Office’s Preview Pane is an attack vector.
“In the worst-case email attack scenario, an attacker could send a specially crafted email to the user without a requirement that the victim open, read, or click on the link. This could result in the attacker executing remote code on the victim’s machine,” Microsoft notes.
Adobe on Tuesday announced the rollout of patches for nearly 140 vulnerabilities across its products, including critical-severity bugs in ColdFusion and Experience Manager.
ColdFusion received fixes for 12 security defects, most of which could be exploited for arbitrary code execution.
The most severe of these are CVE-2025-61808, CVE-2025-61809, and CVE-2025-61830 (CVSS score of 9.1), described as unrestricted dangerous file upload, improper input validation, and deserialization of untrusted data, respectively.
Fixes for all 12 bugs were included in ColdFusion 2025 update 5, ColdFusion 2023 update 7, and ColdFusion 2021 update 23.
This month, Experience Manager (AEM) received fixes for 117 vulnerabilities, 116 of which are cross-site scripting (XSS) flaws, including two critical-severity bugs, tracked as CVE-2025-64537 and CVE-2025-64539 (CVSS score of 9.3).
The remaining 114 XSS issues are medium-severity bugs. The update also resolves a high-severity defect described as dependency on a vulnerable third-party component.
AEM Cloud Service release 2025.12 and AEM versions 6.5 LTS SP1 (GRANITE-61551 Hotfix) and 6.5.24 resolve all security defects.
Adobe has slapped a priority rating of ‘1’ on both the ColdFusion and AEM updates, urging users to apply the fixes as soon as possible.
On Tuesday, the company also announced fixes for two high- and two medium-severity security holes in the DNG SDK, two high- and two low-severity issues in Acrobat and Reader, and one medium-severity flaw in Creative Cloud Desktop for macOS.
Adobe says it is not aware of any of these vulnerabilities being exploited in the wild. Additional information can be found on the company’s security advisories page.
Quelle: https://www.securityweek.com/microsoft-patches-57-vulnerabilities-three-zero-days/
