Post-Patch Tuesday Roundup: December 2025 :: Softcat
Skip to main content

Login to eCAT

Customer Support
Contact Sales
Blog

Post-Patch Tuesday Roundup: December 2025

Softcat’s December 2025 Patch Tuesday summary highlights updates from major vendors including Microsoft, Adobe, Cisco, SAP, Ivanti, IBM, Fortinet, and VMware, as they release patches addressing a wide range of vulnerabilities across their respective platforms.

Post patch tuesday image 1

Philip Odjidja

Vulnerability Engineer

This release includes multiple zero‑day disclosures, some of which are under active exploitation.

 

Microsoft 

In the December 9, 2025, Patch Tuesday release, Microsoft patched 56 vulnerabilities across Windows, Office, and other components. Among them are 3 zero-day flaws with 1 actively exploited and 2 publicly disclosed. This Patch Tuesday also addresses 3 “Critical" remote code execution vulnerabilities addressing security gaps that could allow attackers to run code, elevate privileges, or compromise sensitive data with minimal user interaction. The rest are rated “Important”.

The patches cover a broad array of product components including spoofing, Denial of service, information disclosure, remote code execution and elevation of privilege

Zero Day Vulnerability:

CVE-2025-62221 – A privilege escalation vulnerability in the Windows Cloud Files Mini Filter Driver. Microsoft identifies the flaw as a use-after-free memory corruption that allows a local attacker with valid credentials to elevate privileges to SYSTEM, the highest level of Windows access. Microsoft has confirmed that this vulnerability is being actively exploited in real-world attacks. It carries a CVSSv3 score of 7.8 and is rated Important.

In addition, Microsoft addressed two other elevation-of-privilege issues in the same driver: CVE-2025-62454 and CVE-2025-62457. Both share the same CVSSv3 score of 7.8 and Important severity rating. However, Microsoft’s Exploitability Index classifies CVE-2025-62454 as “Exploitation More Likely”, while CVE-2025-62457 is considered “Exploitation Unlikely.”

CVE-2025-64671 – This is a remote code execution flaw has been identified in the GitHub Copilot plugin for JetBrains Integrated Development Environments. The vulnerability, rated Important with a CVSSv3 score of 8.4, is currently assessed as “Exploitation Less Likely.”

The issue arises from a command injection weakness within GitHub Copilot. An attacker could exploit this by delivering a malicious Cross Prompt Inject via either an MCP Server or untrusted files. If successful, the attacker would gain the ability to append unauthorised commands to legitimate ones, taking advantage of the plugin’s ‘auto-approve’ terminal setting.

CVE-2025-54100 - Windows PowerShell RCE Vulnerability which is a remote code execution flaw has been discovered in Windows PowerShell, one of the most widely used automation engines in enterprise environments. The vulnerability carries a CVSSv3 score of 7.8, is rated Important, and arises from a command-injection issue caused by improper handling of special characters during web content parsing.

The flaw allows script code embedded in a webpage to execute automatically when retrieved using Invoke-WebRequest—a command frequently used in automation scripts, DevOps pipelines, and system provisioning.

To reduce risk, Microsoft has updated PowerShell’s behavior:

• When Invoke-WebRequest encounters a page containing potential script blocks, PowerShell now issues a clear security warning.

• Administrators and users are advised to use the UseBasicParsing switch to prevent script execution.

Critical

CVE-2025-62554 and CVE-2025-62557 – These two remote code execution vulnerabilities have been identified in Microsoft Office, each assigned a CVSSv3 score of 8.4 and rated Critical. Attackers could exploit these vulnerabilities through social engineering, for example by sending a malicious Office document to a target. If successful, the attacker would gain code execution privileges.

Although Microsoft has assessed both vulnerabilities as “Exploitation Less Likely,” the company warns that the Preview Pane serves as an attack vector. This means exploitation could occur without the victim opening the file.

Microsoft’s advisories also note that security updates for Office LTSC for Mac are not yet available but will be released once ready.

Important

CVE-2025-62458 – An elevation of privilege flaw has been identified in Microsoft’s Win32k, a core kernel-side driver in Windows. The vulnerability carries a CVSSv3 score of 7.8, is rated Important, and  has been assessed as “Exploitation More Likely.” Successful exploitation would enable an attacker to obtain SYSTEM-level privileges on an affected machine.

With the inclusion of CVE-2025-62458, this marks the ninth Win32k EoP vulnerability patched in 2025, following 14 similar flaws addressed in 2024

CVE-2025-62466 is a null-pointer dereference vulnerability in the Windows Client-Side Caching (CSC) Service. The bug allows an authorized local attacker to cause a failure in memory dereference which, in this case, allows privilege escalation. In simple terms, if a low-privilege user or process triggers the flaw, they could potentially elevate privileges to a more powerful level. The official CVSS v3.1 base score for CVE-2025-62466 is 7.8 and rated important. It has been assessed as “Exploitation More Likely.”

CVE-2025-64678 - is a heap-based buffer overflow vulnerability in Windows Routing and Remote Access Service (RRAS). By delivering specially crafted network packets to a system running RRAS, an unauthorized attacker could exploit the overflow and achieve remote arbitrary code execution. The vulnerability carries a CVSSv3 score of 8.8, is rated Important, and has been assessed as “Exploitation More Likely.”

CVE-2025-62469 is a race-condition / improper synchronization vulnerability in Microsoft Brokering File System (BFS). Specifically, vulnerability arises when shared resources are accessed concurrently, without proper synchronization, which can be exploited by attackers.

The flaw is classified under CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization) and CWE-415 (Double Free), according to the public technical description. Due to this vulnerability, a local attacker—even with low-level access—could exploit it to escalate privileges, ultimately obtaining SYSTEM or other elevated rights on the affected system. The vulnerability carries a CVSSv3 score of 7.0, is rated Important, and has been assessed as “Exploitation Unlikely.”

 

Adobe

Adobe has released five patches this month, addressing 139 vulnerabilities across multiple products. The applications in question are:

Adobe Experience Manager (AEM)

Adobe ColdFusion

Adobe Acrobat & Adobe Acrobat Reader

Adobe Creative / Desktop & SDK tools

Adobe Creative Cloud Desktop

 

Cisco

Cisco’s December 2025 patch updates focus on a critical remote code execution (RCE) vulnerability in the React and Next.js frameworks CVE‑2025‑55182 . This vulnerability affects Cisco products embedding React/Next.js server components.  The medium vulnerability  CVE-2025-20289 a Cisco Identity Services Engine Reflected Cross-Site Scripting and Information Disclosure Vulnerability. These vulnerabilities affected Cisco ISE and Cisco ISE-PIC, regardless of device configuration.

 

Ivanti

Ivanti has issued security updates that address multiple vulnerabilities, including a critical Stored XSS flaw  CVE-2025-10573  with a CVSSv3 score 9.6  in Ivanti Endpoint Manager. It allows remote, unauthenticated attackers to execute arbitrary JavaScript in the context of an administrator’s session.

 

SAP

SAP released 14 new security updates. These consist of 3 critical, 5 highs and 6 mediums. The products affected by the Critical or high rated CVEs are

SAP Solution Manager

SAP Commerce Cloud

SAP jConnect - SDK for ASE

SAP Web Dispatcher and Internet Communication Manager (ICM)

SAP NetWeaver (remote service for Xcelsius)

SAP Business Objects

SAP Web Dispatcher, Internet Communication Manager and SAP Content Server

SAP S/4 HANA Private Cloud (Financials General Ledger)

 

IBM

IBM’s security update for December 2025 includes multiple critical patches across QRadar, Sterling Partner Engagement Manager and other IBM products, addressing vulnerabilities such as remote denial‑of‑service and privilege escalation.

Products covered include:

• IBM AIX

• IBM Aspera Shares

• IBM Business Automation Workflow

• IBM Cloud Pak System

• IBM Controller

• IBM Guardium Data Security Center

• IBM Jazz Reporting Service (various versions)

• IBM Maximo Application Suite — Monitor component (various versions)

• IBM Process Mining

• IBM Use Case Manager App

• IBM VIOS

• IBM Watson Studio on Cloud Pak for Data

 

Check point

Check Point published numerous security advisories covering third-party product vulnerabilities and corresponding protections available through Check Point IPS and Threat Prevention.  This month’s advisories focused on remote code execution, command injection, file upload flaws and authentication bypass vulnerabilities

 

VMware

VMware has published advisories for vulnerabilities affecting several components of the VMware Tanzu Platform. Critical and high vulnerabilities were discovered in VMware Tanzu's foundation core, Tanzu Hub, and stemcells (Ubuntu Jammy).  

 

Fortinet

Fortinet released security updates for multiple products, including a critical FortiCloud SSO Login Authentication Bypass flaw.

 

React

React has issued patches for a critical remote code execution vulnerability in React Server Components. The flaw, known as React2Shell, is already being actively exploited in attacks.

As always, users are recommended to apply the latest security updates as soon as possible to protect their systems from potential threats.