Microsoft's December 2025 Patch Tuesday update for Windows 11 addresses 57 vulnerabilities across the Windows ecosystem, including a critical zero-day privilege escalation flaw in the Windows Cloud Files Mini Filter Driver that is confirmed to be actively exploited in the wild.
Released today as cumulative update KB5072033, the patch also delivers quality-of-life improvements and security enhancements for Windows 11 versions 25H2 and 24H2.
The most serious vulnerability addressed this month is CVE-2025-62221, a local privilege escalation bug stemming from a use-after-free issue in the Cloud Files Mini Filter Driver. The flaw enables attackers with local access and minimal privileges to escalate to SYSTEM-level control, making it a potent vector for lateral movement and full system compromise. Microsoft's Security Response Center (MSRC) and the Microsoft Threat Intelligence Center (MSTIC) jointly identified the exploit, confirming its active exploitation prior to patch release.
In addition to this zero-day, Microsoft patched two other noteworthy vulnerabilities that, while not actively exploited, had been publicly disclosed:
CVE-2025-64671 – A remote code execution vulnerability in GitHub Copilot for JetBrains, rated 8.4 CVSS, which allows command injection via malicious Cross Prompt Injects. While the exploit must be triggered locally, the risk lies in scenarios where remote servers or files inject unsafe commands into the local environment.
CVE-2025-54100 – A PowerShell remote code execution bug (7.8 CVSS) introduced through improper command sanitization in Invoke-WebRequest. This issue has now been mitigated by adding a confirmation prompt warning of script execution risks, reducing the likelihood of silent code execution via crafted web content.
Most of the rest are local elevation of privilege issues affecting core Windows components such as Win32K, Storage VSP Driver, Projected File System, and Client-Side Caching (CSC). One highly-rated fix, CVE-2025-62549, patched a flaw in the Routing and Remote Access Service (RRAS) that could enable code execution over the network with no prior authentication.
Beyond security patches, the KB5072033 update includes multiple bug fixes and feature improvements:
- Copilot: Fixed a UI bug where the “Click to Do” window failed to appear in the foreground during data sharing sessions.
- File Explorer: Resolved a visual glitch causing white flashes when navigating directories, a side effect of last month's optional update.
- Networking: Fixed a critical issue causing external virtual switches to lose NIC bindings after a host reboot, which disrupted connectivity for virtual machines.
- PowerShell 5.1: Added the aforementioned execution warning prompt for Invoke-WebRequest, aligned with the fix for CVE-2025-54100.
A known issue in this update affecting some users in enterprise environments is that the password icon may be missing on the lock screen's sign-in options. While the functionality remains intact via a hidden placeholder, Microsoft is mitigating the issue via Known Issue Rollback (KIR) and provides a dedicated Group Policy download for IT administrators managing affected devices.
Windows users are recommended to install the latest security update through Settings > Windows Update > Check for updates > Install all.
After the updates are downloaded and installed, a system reboot will be required for the changes to take effect. As always with OS-level updates, it is recommended to back up important data before starting the process.
Leave a Reply