Overview
- Microsoft patched three zero‑day vulnerabilities, including CVE-2025-62221 in the Windows Cloud Files Mini Filter Driver that attackers are exploiting to gain SYSTEM privileges.
- CISA added CVE-2025-62221 to its Known Exploited Vulnerabilities Catalog and directed organizations to apply the update by December 30, 2025.
- Three critical remote code execution bugs in Office and Outlook were fixed, including CVE-2025-62562 (Outlook) and CVE-2025-62554 and CVE-2025-62557 (Office).
- A PowerShell command‑injection RCE (CVE-2025-54100) now triggers a security confirmation when using Invoke-WebRequest, with mitigation guidance detailed in KB5074596.
- The release spans Windows, Office, Edge and developer integrations such as GitHub Copilot for JetBrains (CVE-2025-64671), with 19 RCE and 28 elevation‑of‑privilege issues among 72 total vulnerabilities.