Microsoft on Tuesday launched 56 patches affecting 10 product households. Two of the addressed points are thought of by Microsoft to be of Crucial severity – and, unusually, each belong to the blended Workplace-365 product household. Eight have a CVSS base rating of 8.0 or increased. One is thought to be below lively exploit within the wild, and two others are publicly disclosed.
That’s the excellent news. We’ll get to the advisories in a second.
At patch time, six CVEs are judged extra prone to be exploited within the subsequent 30 days by the corporate’s estimation, along with the one already detected to be so. Numerous of this month’s points are amenable to direct detection by Sophos protections, and we embody info on these in a desk beneath.
The discharge additionally contains info on 14 Edge patches launched final week, in addition to 12 ColdFusion and 4 Adobe Reader patches launched at this time. (The only real Edge patch originating with Microsoft is counted on this whole relatively within the normal Patch Tuesday depend of 56; the remaining originated with Chromium itself and have been patched earlier within the month.) Now we have included info on all these patches in Appendix D. There isn’t any replace to the Servicing Stack listed in Microsoft’s manifest this month.
Microsoft additionally launched info on 84 CVEs affecting CBL Mariner and/or Azure Linux. All 84 CVEs originated with MITRE and have been addressed over the course of the previous week, and all 84 are indicated as exploited in within the wild (although none are marked as publicly disclosed). Little info was made obtainable on these 84 CVEs, however we’ve supplied some steering in Appendix F on the finish of the publish.
We’re as at all times together with on the finish of this publish appendices itemizing all Microsoft’s patches sorted by severity (Appendix A), by predicted exploitability timeline and CVSS Base rating (Appendix B), and by product household (Appendix C). Appendix E offers a breakout of the patches affecting the varied Home windows Server platforms.
By the numbers
- Whole CVEs: 56
- Publicly disclosed: 2
- Exploit detected: 1
- Severity
- Crucial: 2
- Necessary: 54
- Affect
- Denial of Service: 3
- Elevation of Privilege: 28
- Data Disclosure: 4
- Distant Code Execution: 19
- Spoofing: 2
- CVSS Base rating 9.0 or better: 0
- CVSS Base rating 8.0 or better: 8
Determine 1: Elevation of Privilege points have been probably the most quite a few within the December assortment, as soon as once more
Merchandise
- Home windows: 38
- 365: 13
- Workplace: 13
- Excel: 6
- SharePoint: 5
- Phrase: 4
- Alternate: 2
- Entry: 1
- Azure: 1
- GitHub: 1
As is our customized for this record, CVEs that apply to a couple of product household are counted as soon as for every household they have an effect on. We notice, by the way in which, that CVE names don’t at all times replicate affected product households intently. Particularly, some CVEs names within the Workplace household could point out merchandise that don’t seem within the record of merchandise affected by the CVE, and vice versa.
Determine 2: A smaller, closely end-user-oriented group of product households acquired patches this month. Although Home windows accounts for half of them, patches associated to the working system are all Necessary in severity
Notable December updates
Along with the problems mentioned above, a number of particular gadgets advantage consideration.
CVE-2025-62554 — Microsoft Workplace Distant Code Execution Vulnerability
CVE-2025-62555 — Microsoft Phrase Distant Code Execution Vulnerability
CVE-2025-62557 — Microsoft Workplace Distant Code Execution Vulnerability
CVE-2025-62558 — Microsoft Phrase Distant Code Execution Vulnerability
CVE-2025-62559 — Microsoft Phrase Distant Code Execution Vulnerability
CVE-2025-62560 — Microsoft Excel Distant Code Execution Vulnerability
CVE-2025-62561 — Microsoft Excel Distant Code Execution Vulnerability
All seven of those RCE points have an effect on a number of variations of 365 and Workplace, together with Microsoft Workplace LTSC for Mac 2021 and 2024. Nevertheless, the patches for these Mac variations aren’t prepared but. Customers accountable for updating Macs are requested to watch the CVE info for every vulnerability for additional phrase on these patches. Of the seven, pay particular consideration to CVE-2025-62554 and CVE-2025-62257 (the 2 merely referred to as “Workplace” vulnerabilities) – they’re those which Preview Pane is an assault vector. These two CVEs are Crucial-severity and have a CVSS Base rating of 8.4. The others are Necessary-severity.
CVE-2025-54100 — PowerShell Distant Code Execution Vulnerability
As with the 84 Mariner vulnerabilities talked about above, the discharge of this patch arrived with much less info than Microsoft-issued CVEs typically do. That stated, this Necessary-class difficulty is allotted to Home windows; as with the GitHub difficulty mentioned beneath, it entails improper neutralization of particular parts utilized in a command. For this one, Microsoft notes that after set up, customers trying to deploy the Invoke-WebRequest command will get a brand new affirmation immediate warning them of probably undesirable script code execution and recommending that they embody the -UseBasicParsing swap to maintain issues behaving properly.
CVE-2025-64666 — Microsoft Alternate Server Elevation of Privilege Vulnerability
CVE-2025-64667 — Microsoft Alternate Server Spoofing Vulnerability
These two Necessary-severity bugs each have an effect on Alternate Server 2016 and 2019, that are out-of-support variations of Alternate – until you’re paying for Microsoft’s Prolonged Safety Replace (ESU) program, you’re not getting these patches. (Alternate Server Subscription Version subscribers are coated.) The EoP is a reasonably specialised merchandise that may require the attacker to organize the goal surroundings forward of time, whereas the Spoofing bug impacts, particularly, how From: addresses are exhibited to the consumer.
CVE-2025-64671 — GitHub Copilot for Jetbrains Distant Code Execution Vulnerability
The one publicly disclosed vulnerability up to now this month permits the Jetbrain AI-based coding assistant to wreck the vibe-coding vibe, because of improper neutralization of particular parts utilized in a command. Based on Microsoft, an attacker might execute extra instructions by appending them to instructions allowed within the consumer’s terminal auto-approve setting. This vulnerability is credited to unbiased researcher Ari Marzouk, who simply final weekend posted evaluation of a probably vigorous new class of vulnerabilities in AI IDEs. An intriguing learn.
Determine 3: The 12 months wrapped up with Elevation of Privilege and Distant Code Execution swapping spots on the high of the charts. Notice, although, that regardless that there have been fewer RCE bugs squashed this 12 months, there was the next share of Crucial-severity RCEs. General there have been 92 Crucial-severity CVEs tackle in 2025 in comparison with 55 final 12 months.
Determine 4: Behold the ultimate (one hopes) 2025 tally: Ultimately, it was probably the most patch-heavy 12 months (1196 excluding out-of-band patch releases) since 2020 (1245 patches excluding out-of-bands), with two record-breaking months in January and October.
Sophos protections
| CVE | Sophos Intercept X/Endpoint IPS | Sophos XGS Firewall |
| CVE-2025-59516 | Exp/2559516-A | Exp/2559516-A |
| CVE-2025-59517 | Exp/2559517-A | Exp/2559517-A |
| CVE-2025-62221 | Exp/2562221-A | Exp/2562221-A |
| CVE-2025-62454 | Exp/2562454-A | Exp/2562454-A |
| CVE-2025-62470 | Exp/2562470-A | Exp/2562470-A |
| CVE-2025-62472 | Exp/2562472-A | Exp/2562472-A |
As you possibly can each month, should you don’t wish to wait on your system to tug down Microsoft’s updates itself, you possibly can obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe instrument to find out which construct of Home windows you’re working, then obtain the Cumulative Replace bundle on your particular system’s structure and construct quantity.
Appendix A: Vulnerability Affect and Severity
This can be a record of December patches sorted by influence, then sub-sorted by severity. Every record is additional organized by CVE.
Elevation of Privilege (28 CVEs)
| Necessary severity | |
| CVE-2025-55233 | Home windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2025-59516 | Home windows Storage VSP Driver Elevation of Privilege Vulnerability |
| CVE-2025-59517 | Home windows Storage VSP Driver Elevation of Privilege Vulnerability |
| CVE-2025-62221 | Home windows Cloud Recordsdata Mini Filter Driver Elevation of Privilege Vulnerability |
| CVE-2025-62454 | Home windows Cloud Recordsdata Mini Filter Driver Elevation of Privilege Vulnerability |
| CVE-2025-62455 | Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability |
| CVE-2025-62457 | Home windows Cloud Recordsdata Mini Filter Driver Elevation of Privilege Vulnerability |
| CVE-2025-62458 | Win32k Elevation of Privilege Vulnerability |
| CVE-2025-62461 | Home windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2025-62462 | Home windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2025-62464 | Home windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2025-62466 | Home windows Shopper-Facet Caching Elevation of Privilege Vulnerability |
| CVE-2025-62467 | Home windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2025-62469 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
| CVE-2025-62470 | Home windows Frequent Log File System Driver Elevation of Privilege Vulnerability |
| CVE-2025-62472 | Home windows Distant Entry Connection Supervisor Elevation of Privilege Vulnerability |
| CVE-2025-62474 | Home windows Distant Entry Connection Supervisor Elevation of Privilege Vulnerability |
| CVE-2025-62565 | Home windows File Explorer Elevation of Privilege Vulnerability |
| CVE-2025-62569 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
| CVE-2025-62571 | Home windows Installer Elevation of Privilege Vulnerability |
| CVE-2025-62572 | Utility Data Service Elevation of Privilege Vulnerability |
| CVE-2025-62573 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| CVE-2025-64658 | Home windows File Explorer Elevation of Privilege Vulnerability |
| CVE-2025-64661 | Home windows Shell Elevation of Privilege Vulnerability |
| CVE-2025-64666 | Microsoft Alternate Server Elevation of Privilege Vulnerability |
| CVE-2025-64673 | Home windows Storage VSP Driver Elevation of Privilege Vulnerability |
| CVE-2025-64679 | Home windows DWM Core Library Elevation of Privilege Vulnerability |
| CVE-2025-64680 | Home windows DWM Core Library Elevation of Privilege Vulnerability |
Distant Code Execution (19 CVEs)
| Crucial severity | |
| CVE-2025-62554 | Microsoft Workplace Distant Code Execution Vulnerability |
| CVE-2025-62557 | Microsoft Workplace Distant Code Execution Vulnerability |
| Necessary severity | |
| CVE-2025-54100 | PowerShell Distant Code Execution Vulnerability |
| CVE-2025-62456 | Home windows Resilient File System (ReFS) Distant Code Execution Vulnerability |
| CVE-2025-62549 | Home windows Routing and Distant Entry Service (RRAS) Distant Code Execution Vulnerability |
| CVE-2025-62550 | Azure Monitor Agent Distant Code Execution Vulnerability |
| CVE-2025-62552 | Microsoft Entry Distant Code Execution Vulnerability |
| CVE-2025-62553 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62555 | Microsoft Phrase Distant Code Execution Vulnerability |
| CVE-2025-62556 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62558 | Microsoft Phrase Distant Code Execution Vulnerability |
| CVE-2025-62559 | Microsoft Phrase Distant Code Execution Vulnerability |
| CVE-2025-62560 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62561 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62562 | Microsoft Outlook Distant Code Execution Vulnerability |
| CVE-2025-62563 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62564 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-64671 | GitHub Copilot for Jetbrains Distant Code Execution Vulnerability |
| CVE-2025-64678 | Home windows Routing and Distant Entry Service (RRAS) Distant Code Execution Vulnerability |
Data Disclosure (4 CVEs)
| Necessary severity | |
| CVE-2025-62468 | Home windows Defender Firewall Service Data Disclosure Vulnerability |
| CVE-2025-62473 | Home windows Routing and Distant Entry Service (RRAS) Data Disclosure Vulnerability |
| CVE-2025-62570 | Home windows Digicam Body Server Monitor Data Disclosure Vulnerability |
| CVE-2025-64670 | Home windows DirectX Data Disclosure Vulnerability |
Denial of Service (3 CVEs)
| Necessary severity | |
| CVE-2025-62463 | DirectX Graphics Kernel Denial of Service Vulnerability |
| CVE-2025-62465 | DirectX Graphics Kernel Denial of Service Vulnerability |
| CVE-2025-62567 | Home windows Hyper-V Denial of Service Vulnerability |
Spoofing (2 CVEs)
| Necessary severity | |
| CVE-2025-64667 | Microsoft Alternate Server Spoofing Vulnerability |
| CVE-2025-64672 | Microsoft SharePoint Server Spoofing Vulnerability |
Appendix B: Exploitability and CVSS
This can be a record of the December CVEs judged by Microsoft to be extra prone to be exploited within the wild inside the first 30 days post-release. The record is organized by CVE.
| Exploitation extra possible inside the subsequent 30 days | |
| CVE-2025-59516 | Home windows Storage VSP Driver Elevation of Privilege Vulnerability |
| CVE-2025-59517 | Home windows Storage VSP Driver Elevation of Privilege Vulnerability |
| CVE-2025-62454 | Home windows Cloud Recordsdata Mini Filter Driver Elevation of Privilege Vulnerability |
| CVE-2025-62458 | Win32k Elevation of Privilege Vulnerability |
| CVE-2025-62470 | Home windows Frequent Log File System Driver Elevation of Privilege Vulnerability |
| CVE-2025-62472 | Home windows Distant Entry Connection Supervisor Elevation of Privilege Vulnerability |
The CVE listed beneath was identified to be below lively exploit previous to the discharge of this month’s patches.
| CVE-2025-62221 | Home windows Cloud Recordsdata Mini Filter Driver Elevation of Privilege Vulnerability |
These are the December CVEs with a Microsoft-assessed CVSS Base rating of 8.0 or increased. They’re organized by rating and additional sorted by CVE. For extra info on how CVSS works, please see our sequence on patch prioritization schema.
| CVSS Base | CVSS Temporal | CVE | Title |
| 8.8 | 7.7 | CVE-2025-62456 | Home windows Resilient File System (ReFS) Distant Code Execution Vulnerability |
| 8.8 | 7.7 | CVE-2025-62549 | Home windows Routing and Distant Entry Service (RRAS) Distant Code Execution Vulnerability |
| 8.8 | 7.7 | CVE-2025-62550 | Azure Monitor Agent Distant Code Execution Vulnerability |
| 8.8 | 7.7 | CVE-2025-64672 | Microsoft SharePoint Server Spoofing Vulnerability |
| 8.8 | 7.7 | CVE-2025-64678 | Home windows Routing and Distant Entry Service (RRAS) Distant Code Execution Vulnerability |
| 8.4 | 7.3 | CVE-2025-62554 | Microsoft Workplace Distant Code Execution Vulnerability |
| 8.4 | 7.3 | CVE-2025-62557 | Microsoft Workplace Distant Code Execution Vulnerability |
| 8.4 | 7.3 | CVE-2025-64671 | GitHub Copilot for Jetbrains Distant Code Execution Vulnerability |
Appendix C: Merchandise Affected
This can be a record of December’s patches sorted by product household, then sub-sorted by severity. Every record is additional organized by CVE. Patches which can be shared amongst a number of product households are listed a number of occasions, as soon as for every product household. Sure points for which advisories have been issued are coated in Appendix D, and points affecting Home windows Server are additional sorted in Appendix E. All CVE titles are correct as made obtainable by Microsoft; for additional info on why sure merchandise could seem in titles and never product households (or vice versa), please seek the advice of Microsoft.
Home windows (38 CVEs)
| Necessary severity | |
| CVE-2025-54100 | PowerShell Distant Code Execution Vulnerability |
| CVE-2025-55233 | Home windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2025-59516 | Home windows Storage VSP Driver Elevation of Privilege Vulnerability |
| CVE-2025-59517 | Home windows Storage VSP Driver Elevation of Privilege Vulnerability |
| CVE-2025-62221 | Home windows Cloud Recordsdata Mini Filter Driver Elevation of Privilege Vulnerability |
| CVE-2025-62454 | Home windows Cloud Recordsdata Mini Filter Driver Elevation of Privilege Vulnerability |
| CVE-2025-62455 | Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability |
| CVE-2025-62456 | Home windows Resilient File System (ReFS) Distant Code Execution Vulnerability |
| CVE-2025-62457 | Home windows Cloud Recordsdata Mini Filter Driver Elevation of Privilege Vulnerability |
| CVE-2025-62458 | Win32k Elevation of Privilege Vulnerability |
| CVE-2025-62461 | Home windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2025-62462 | Home windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2025-62463 | DirectX Graphics Kernel Denial of Service Vulnerability |
| CVE-2025-62464 | Home windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2025-62465 | DirectX Graphics Kernel Denial of Service Vulnerability |
| CVE-2025-62466 | Home windows Shopper-Facet Caching Elevation of Privilege Vulnerability |
| CVE-2025-62467 | Home windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2025-62468 | Home windows Defender Firewall Service Data Disclosure Vulnerability |
| CVE-2025-62469 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
| CVE-2025-62470 | Home windows Frequent Log File System Driver Elevation of Privilege Vulnerability |
| CVE-2025-62472 | Home windows Distant Entry Connection Supervisor Elevation of Privilege Vulnerability |
| CVE-2025-62473 | Home windows Routing and Distant Entry Service (RRAS) Data Disclosure Vulnerability |
| CVE-2025-62474 | Home windows Distant Entry Connection Supervisor Elevation of Privilege Vulnerability |
| CVE-2025-62549 | Home windows Routing and Distant Entry Service (RRAS) Distant Code Execution Vulnerability |
| CVE-2025-62565 | Home windows File Explorer Elevation of Privilege Vulnerability |
| CVE-2025-62567 | Home windows Hyper-V Denial of Service Vulnerability |
| CVE-2025-62569 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
| CVE-2025-62570 | Home windows Digicam Body Server Monitor Data Disclosure Vulnerability |
| CVE-2025-62571 | Home windows Installer Elevation of Privilege Vulnerability |
| CVE-2025-62572 | Utility Data Service Elevation of Privilege Vulnerability |
| CVE-2025-62573 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| CVE-2025-64658 | Home windows File Explorer Elevation of Privilege Vulnerability |
| CVE-2025-64661 | Home windows Shell Elevation of Privilege Vulnerability |
| CVE-2025-64670 | Home windows DirectX Data Disclosure Vulnerability |
| CVE-2025-64673 | Home windows Storage VSP Driver Elevation of Privilege Vulnerability |
| CVE-2025-64678 | Home windows Routing and Distant Entry Service (RRAS) Distant Code Execution Vulnerability |
| CVE-2025-64679 | Home windows DWM Core Library Elevation of Privilege Vulnerability |
| CVE-2025-64680 | Home windows DWM Core Library Elevation of Privilege Vulnerability |
365 (13 CVEs)
| Crucial severity | |
| CVE-2025-62554 | Microsoft Workplace Distant Code Execution Vulnerability |
| CVE-2025-62557 | Microsoft Workplace Distant Code Execution Vulnerability |
| CVE-2025-62562 | Microsoft Outlook Distant Code Execution Vulnerability |
| Necessary severity | |
| CVE-2025-62552 | Microsoft Entry Distant Code Execution Vulnerability |
| CVE-2025-62553 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62555 | Microsoft Phrase Distant Code Execution Vulnerability |
| CVE-2025-62556 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62558 | Microsoft Phrase Distant Code Execution Vulnerability |
| CVE-2025-62559 | Microsoft Phrase Distant Code Execution Vulnerability |
| CVE-2025-62560 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62561 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62563 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62564 | Microsoft Excel Distant Code Execution Vulnerability |
Workplace (13 CVEs)
| Crucial severity | |
| CVE-2025-62554 | Microsoft Workplace Distant Code Execution Vulnerability |
| CVE-2025-62557 | Microsoft Workplace Distant Code Execution Vulnerability |
| Necessary severity | |
| CVE-2025-62552 | Microsoft Entry Distant Code Execution Vulnerability |
| CVE-2025-62553 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62555 | Microsoft Phrase Distant Code Execution Vulnerability |
| CVE-2025-62556 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62558 | Microsoft Phrase Distant Code Execution Vulnerability |
| CVE-2025-62559 | Microsoft Phrase Distant Code Execution Vulnerability |
| CVE-2025-62560 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62561 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62562 | Microsoft Outlook Distant Code Execution Vulnerability |
| CVE-2025-62563 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62564 | Microsoft Excel Distant Code Execution Vulnerability |
Excel (6 CVEs)
| Necessary severity | |
| CVE-2025-62553 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62556 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62560 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62561 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62563 | Microsoft Excel Distant Code Execution Vulnerability |
| CVE-2025-62564 | Microsoft Excel Distant Code Execution Vulnerability |
SharePoint (5 CVEs)
| Crucial severity | |
| CVE-2025-62562 | Microsoft Outlook Distant Code Execution Vulnerability |
| Necessary severity | |
| CVE-2025-62555 | Microsoft Phrase Distant Code Execution Vulnerability |
| CVE-2025-62558 | Microsoft Phrase Distant Code Execution Vulnerability |
| CVE-2025-62559 | Microsoft Phrase Distant Code Execution Vulnerability |
| CVE-2025-64672 | Microsoft SharePoint Server Spoofing Vulnerability |
Phrase (4 CVEs)
| Crucial severity | |
| CVE-2025-62562 | Microsoft Outlook Distant Code Execution Vulnerability |
| Necessary severity | |
| CVE-2025-62555 | Microsoft Phrase Distant Code Execution Vulnerability |
| CVE-2025-62558 | Microsoft Phrase Distant Code Execution Vulnerability |
| CVE-2025-62559 | Microsoft Phrase Distant Code Execution Vulnerability |
Alternate (2 CVEs)
| Necessary severity | |
| CVE-2025-64666 | Microsoft Alternate Server Elevation of Privilege Vulnerability |
| CVE-2025-64667 | Microsoft Alternate Server Spoofing Vulnerability |
Entry (1 CVE)
| Necessary severity | |
| CVE-2025-62552 | Microsoft Entry Distant Code Execution Vulnerability |
Azure (1 CVE)
| Necessary severity | |
| CVE-2025-62550 | Azure Monitor Agent Distant Code Execution Vulnerability |
GitHub (1 CVE)
| Necessary severity | |
| CVE-2025-64671 | GitHub Copilot for Jetbrains Distant Code Execution Vulnerability |
Appendix D: Advisories and Different Merchandise
There are 14 Edge-related advisories famous in December’s launch. All however CVE-2025-62223 originated with Chrome. All have been patched in the course of the earlier week. Please notice that the Microsoft-issued CVE applies solely to Edge for Mac.
| CVE-2025-13630 | Chromium: CVE-2025-13630 Sort Confusion in V8 |
| CVE-2025-13631 | Chromium: CVE-2025-13631 Inappropriate implementation in Google Updater |
| CVE-2025-13632 | Chromium: CVE-2025-13632 Inappropriate implementation in DevTools |
| CVE-2025-13633 | Chromium: CVE-2025-13633 Use after free in Digital Credentials |
| CVE-2025-13634 | Chromium: CVE-2025-13634 Inappropriate implementation in Downloads |
| CVE-2025-13635 | Chromium: CVE-2025-13635 Inappropriate implementation in Downloads |
| CVE-2025-13636 | Chromium: CVE-2025-13636 Inappropriate implementation in Cut up View |
| CVE-2025-13637 | Chromium: CVE-2025-13637 Inappropriate implementation in Downloads |
| CVE-2025-13638 | Chromium: CVE-2025-13638 Use after free in Media Stream |
| CVE-2025-13639 | Chromium: CVE-2025-13639 Inappropriate implementation in WebRTC |
| CVE-2025-13640 | Chromium: CVE-2025-13640 Inappropriate implementation in Passwords |
| CVE-2025-13720 | Chromium: CVE-2025-13720 Dangerous forged in Loader |
| CVE-2025-13721 | Chromium: CVE-2025-13721 Race in v8 |
| CVE-2025-62223 | Microsoft Edge (Chromium-based) for Mac Spoofing Vulnerability |
Adobe is releasing patches for 12 ColdFusion points at this time with Bulletin APSB25-105. All 12 CVEs have an effect on ColdFusion 22, 16, 4 and earlier variations.
| Crucial severity | |
| CVE-2025-61808 | Unrestricted Add of File with Harmful Sort (CWE-434) |
| CVE-2025-61809 | Improper Enter Validation (CWE-20) |
| CVE-2025-61810 | Deserialization of Untrusted Knowledge (CWE-502) |
| CVE-2025-61811 | Improper Entry Management (CWE-284) |
| CVE-2025-61812 | Improper Enter Validation (CWE-20) |
| CVE-2025-61813 | Improper Restriction of XML Exterior Entity Reference (‘XXE’) (CWE-611) |
| CVE-2025-61830 | Deserialization of Untrusted Knowledge (CWE-502) |
| Necessary severity | |
| CVE-2025-61821 | Improper Restriction of XML Exterior Entity Reference (‘XXE’) (CWE-611) |
| CVE-2025-61822 | Improper Enter Validation (CWE-20) |
| CVE-2025-61823 | Improper Restriction of XML Exterior Entity Reference (‘XXE’) (CWE-611) |
| CVE-2025-64897 | Improper Entry Management (CWE-284) |
| CVE-2025-64898 | Insufficiently Protected Credentials (CWE-522) |
Adobe can also be releasing patches for 4 Adobe Reader points at this time with Bulletin APSB25-119. All 4 CVEs have an effect on Reader variations 25.001.20982, 25.001.20668, 24.001.30273, 20.005.30793, 20.005.30803 and earlier.
| Crucial severity | |
| CVE-2025-64785 | Untrusted Search Path (CWE-426) |
| CVE-2025-64899 | Out-of-bounds Learn (CWE-125) |
| Average severity | |
| CVE-2025-64786 | Improper Verification of Cryptographic Signature (CWE-347) |
| CVE-2025-64787 | Improper Verification of Cryptographic Signature (CWE-347) |
For info on the Mariner releases, please scroll to Appendix F.
Appendix E: Affected Home windows Server variations
This can be a desk of the 38 CVEs within the December launch affecting Home windows Server variations 2008 via 2025. The desk differentiates amongst main variations of the platform however doesn’t go into deeper element (eg., Server Core). An “x” signifies that the CVE doesn’t apply to that model. Directors are inspired to make use of this appendix as a place to begin to determine their particular publicity, as every reader’s scenario, particularly because it issues merchandise out of mainstream help, will fluctuate. For particular Data Base numbers, please seek the advice of Microsoft.
| CVE | S-08 | 8r2 | S-12 | 12r2 | S-16 | S-19 | S-22 | 23h2 | S-25 |
| CVE-2025-54100 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-55233 | × | × | × | × | × | ■ | ■ | ■ | ■ |
| CVE-2025-59516 | × | × | × | × | × | ■ | ■ | ■ | ■ |
| CVE-2025-59517 | × | × | × | × | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-62221 | × | × | × | × | × | ■ | ■ | ■ | ■ |
| CVE-2025-62454 | × | × | × | × | × | ■ | ■ | ■ | ■ |
| CVE-2025-62455 | ■ | ■ | ■ | ■ | ■ | ■ | × | × | × |
| CVE-2025-62456 | × | × | × | × | × | × | ■ | ■ | ■ |
| CVE-2025-62457 | × | × | × | × | × | ■ | ■ | ■ | ■ |
| CVE-2025-62458 | × | ■ | ■ | ■ | ■ | ■ | ■ | × | × |
| CVE-2025-62461 | × | × | × | × | × | ■ | ■ | ■ | ■ |
| CVE-2025-62462 | × | × | × | × | × | ■ | ■ | ■ | ■ |
| CVE-2025-62463 | × | × | × | × | × | × | ■ | ■ | ■ |
| CVE-2025-62464 | × | × | × | × | × | ■ | ■ | ■ | ■ |
| CVE-2025-62465 | × | × | × | × | × | × | ■ | ■ | ■ |
| CVE-2025-62466 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-62467 | × | × | × | × | × | ■ | ■ | ■ | ■ |
| CVE-2025-62468 | × | × | × | × | × | × | × | ■ | ■ |
| CVE-2025-62469 | × | × | × | × | × | × | × | × | ■ |
| CVE-2025-62470 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-62472 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-62473 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-62474 | × | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-62549 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-62565 | × | × | × | × | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-62567 | × | × | × | ■ | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-62569 | × | × | × | × | × | × | × | ■ | ■ |
| CVE-2025-62570 | × | × | × | × | × | × | × | × | ■ |
| CVE-2025-62571 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-62572 | × | × | × | × | × | × | × | × | ■ |
| CVE-2025-62573 | × | × | × | × | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-64658 | × | × | × | × | × | ■ | ■ | ■ | ■ |
| CVE-2025-64661 | × | × | × | × | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-64670 | × | × | × | × | × | × | ■ | ■ | ■ |
| CVE-2025-64673 | × | × | × | × | × | ■ | ■ | ■ | ■ |
| CVE-2025-64678 | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-64679 | × | × | × | × | ■ | ■ | ■ | ■ | ■ |
| CVE-2025-64680 | × | × | × | × | ■ | ■ | ■ | ■ | ■ |
Appendix F: CBL Mariner / Azure Linux
The next desk offers info on 84 CVEs referring to CBL Mariner and / or Azure Linux. All 84 are listed by Microsoft as below exploit within the wild. That stated, 5 of them even have CVSS Base numbers over 8.5, and we point out these in purple for these needing to prioritize. The CVEs are grouped by severity and additional ordered by CVE.
| Crucial severity | |
| CVE-2025-40242 | gfs2: Repair unlikely race in gdlm_put_lock |
| CVE-2025-40244 | hfsplus: repair KMSAN uninit-value difficulty in __hfsplus_ext_cache_extent() |
| CVE-2025-40251 | devlink: price: Unset father or mother pointer in devl_rate_nodes_destroy |
| CVE-2025-40262 | Enter: imx_sc_key – repair reminiscence corruption on unload |
| Necessary severity | |
| CVE-2025-12385 | Improper validation of tag dimension in Textual content part parser |
| CVE-2025-12819 | Untrusted search path in auth_query connection in PgBouncer |
| CVE-2025-34297 | KissFFT Integer Overflow Heap Buffer Overflow by way of kiss_fft_alloc |
| CVE-2025-40223 | most: usb: Repair use-after-free in hdm_disconnect |
| CVE-2025-40233 | ocfs2: clear extent cache after shifting/defragmenting extents |
| CVE-2025-40240 | sctp: keep away from NULL dereference when chunk information buffer is lacking |
| CVE-2025-40258 | mptcp: repair race situation in mptcp_schedule_work() |
| CVE-2025-40272 | mm/secretmem: repair use-after-free race in fault handler |
| CVE-2025-40312 | jfs: Confirm inode mode when loading from disk |
| CVE-2025-40314 | usb: cdns3: gadget: Use-after-free throughout failed initialization and exit of cdnsp gadget |
| CVE-2025-40319 | bpf: Sync pending IRQ work earlier than releasing ring buffer |
| CVE-2025-59775 | Apache HTTP Server: NTLM Leakage on Home windows via UNC SSRF |
| CVE-2025-61729 | Extreme useful resource consumption when printing error string for host certificates validation in crypto/x509 |
| CVE-2025-66476 | Vim for Home windows Uncontrolled Search Path Factor Distant Code Execution Vulnerability |
| Average severity | |
| CVE-2023-53749 | x86: repair clear_user_rep_good() exception dealing with annotation |
| CVE-2025-12084 | Quadratic complexity in node ID cache clearing |
| CVE-2025-13836 | Extreme learn buffering DoS in http.shopper |
| CVE-2025-40215 | xfrm: delete x->tunnel as we delete x |
| CVE-2025-40217 | pidfs: validate extensible ioctls |
| CVE-2025-40218 | mm/damon/vaddr: don’t repeat pte_offset_map_lock() till success |
| CVE-2025-40219 | PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV |
| CVE-2025-40220 | fuse: repair livelock in synchronous file put from fuseblk employees |
| CVE-2025-40243 | hfs: repair KMSAN uninit-value difficulty in hfs_find_set_zero_bits() |
| CVE-2025-40245 | nios2: be sure that memblock.current_limit is ready when setting pfn limits |
| CVE-2025-40247 | drm/msm: Repair pgtable prealloc error path |
| CVE-2025-40248 | vsock: Ignore sign/timeout on join() if already established |
| CVE-2025-40250 | internet/mlx5: Clear up solely new IRQ glue on request_irq() failure |
| CVE-2025-40252 | internet: qlogic/qede: repair potential out-of-bounds learn in qede_tpa_cont() and qede_tpa_end() |
| CVE-2025-40253 | s390/ctcm: Repair double-kfree |
| CVE-2025-40254 | internet: openvswitch: take away never-working help for setting nsh fields |
| CVE-2025-40257 | mptcp: repair a race in mptcp_pm_del_add_timer() |
| CVE-2025-40259 | scsi: sg: Don’t sleep in atomic context |
| CVE-2025-40261 | nvme: nvme-fc: Guarantee ->ioerr_work is cancelled in nvme_fc_delete_ctrl() |
| CVE-2025-40263 | Enter: cros_ec_keyb – repair an invalid reminiscence entry |
| CVE-2025-40264 | be2net: cross wrb_params in case of OS2BMC |
| CVE-2025-40266 | KVM: arm64: Verify the untrusted offset in FF-A reminiscence share |
| CVE-2025-40268 | cifs: shopper: repair reminiscence leak in smb3_fs_context_parse_param |
| CVE-2025-40269 | ALSA: usb-audio: Repair potential overflow of PCM switch buffer |
| CVE-2025-40273 | NFSD: free copynotify stateid in nfs4_free_ol_stateid() |
| CVE-2025-40275 | ALSA: usb-audio: Repair NULL pointer dereference in snd_usb_mixer_controls_badd |
| CVE-2025-40277 | drm/vmwgfx: Validate command header dimension in opposition to SVGA_CMD_MAX_DATASIZE |
| CVE-2025-40278 | internet: sched: act_ife: initialize struct tc_ife to repair KMSAN kernel-infoleak |
| CVE-2025-40279 | internet: sched: act_connmark: initialize struct tc_ife to repair kernel leak |
| CVE-2025-40280 | tipc: Repair use-after-free in tipc_mon_reinit_self(). |
| CVE-2025-40281 | sctp: stop doable shift-out-of-bounds in sctp_transport_update_rto |
| CVE-2025-40282 | Bluetooth: 6lowpan: reset link-local header on ipv6 recv path |
| CVE-2025-40283 | Bluetooth: btusb: reorder cleanup in btusb_disconnect to keep away from UAF |
| CVE-2025-40284 | Bluetooth: MGMT: cancel mesh ship timer when hdev eliminated |
| CVE-2025-40285 | smb/server: repair doable refcount leak in smb2_sess_setup() |
| CVE-2025-40286 | smb/server: repair doable reminiscence leak in smb2_read() |
| CVE-2025-40287 | exfat: repair improper test of dentry.stream.valid_size |
| CVE-2025-40288 | drm/amdgpu: Repair NULL pointer dereference in VRAM logic for APU units |
| CVE-2025-40289 | drm/amdgpu: disguise VRAM sysfs attributes on GPUs with out VRAM |
| CVE-2025-40292 | virtio-net: repair acquired size test in massive packets |
| CVE-2025-40293 | iommufd: Don’t overflow throughout division for soiled monitoring |
| CVE-2025-40294 | Bluetooth: MGMT: Repair OOB entry in parse_adv_monitor_pattern() |
| CVE-2025-40297 | internet: bridge: repair use-after-free as a consequence of MST port state bypass |
| CVE-2025-40301 | Bluetooth: hci_event: validate skb size for unknown CC opcode |
| CVE-2025-40303 | btrfs: guarantee no soiled metadata is written again for an fs with errors |
| CVE-2025-40304 | fbdev: Add bounds checking in bit_putcs to repair vmalloc-out-of-bounds |
| CVE-2025-40305 | 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN |
| CVE-2025-40306 | orangefs: repair xattr associated buffer overflow… |
| CVE-2025-40307 | exfat: validate cluster allocation bits of the allocation bitmap |
| CVE-2025-40308 | Bluetooth: bcsp: obtain information provided that registered |
| CVE-2025-40309 | Bluetooth: SCO: Repair UAF on sco_conn_free |
| CVE-2025-40310 | amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw |
| CVE-2025-40311 | accel/habanalabs: help mapping cb with vmalloc-backed coherent reminiscence |
| CVE-2025-40313 | ntfs3: faux $Lengthen data as common recordsdata |
| CVE-2025-40315 | usb: gadget: f_fs: Repair epfile null pointer entry after ep allow. |
| CVE-2025-40317 | regmap: slimbus: repair bus_context pointer in regmap init calls |
| CVE-2025-40321 | wifi: brcmfmac: repair crash whereas sending Motion Frames in standalone AP Mode |
| CVE-2025-40322 | fbdev: bitblit: bound-check glyph index in bit_putcs* |
| CVE-2025-40323 | fbcon: Set fb_display[i]->mode to NULL when the mode is launched |
| CVE-2025-40324 | NFSD: Repair crash in nfsd4_read_release() |
| CVE-2025-61727 | Improper software of excluded DNS identify constraints when verifying wildcard names in crypto/x509 |
| CVE-2025-65082 | Apache HTTP Server: CGI surroundings variable override |
| CVE-2025-65637 | A denial-of-service vulnerability exists in github.com/sirupsen/logrus when utilizing Entry.Author() to log a single-line payload bigger than 64KB with out newline characters. |
| CVE-2025-66200 | Apache HTTP Server: mod_userdir+suexec bypass by way of AllowOverride FileInfo |
| CVE-2025-66293 | LIBPNG has an out-of-bounds learn in png_image_read_composite |
| Low severity | |
| CVE-2025-13837 | Out-of-memory when loading Plist |
