{"id":3851,"date":"2025-12-14T00:37:03","date_gmt":"2025-12-14T00:37:03","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/12\/14\/microsoft-fixes-three-zero-days-in-final-patch-tuesday-of-2025\/"},"modified":"2025-12-14T00:37:03","modified_gmt":"2025-12-14T00:37:03","slug":"microsoft-fixes-three-zero-days-in-final-patch-tuesday-of-2025","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/12\/14\/microsoft-fixes-three-zero-days-in-final-patch-tuesday-of-2025\/","title":{"rendered":"Microsoft Fixes Three Zero-Days in Final Patch Tuesday of 2025"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n
\n

Microsoft patched an actively exploited zero-day vulnerability as part of its monthly security update cycle yesterday.<\/p>\n

CVE-2025-62221 is an elevation of privilege (EoP) bug in the Windows Cloud Files Mini Filter Driver, which enables a low-privileged user to achieve system-level code execution through a kernel-mode use-after-free flaw.\u00a0<\/p>\n

Although no confirmed proof-of-concept (PoC) is available, it\u2019s likely that threat actors already have the requisite knowledge to exploit it, warned Action1 president, Mike Walters.<\/p>\n

\u201cThe real impact of this vulnerability emerges when attackers chain it with other weaknesses. After gaining low-privileged access through phishing, a browser exploit\u00a0or an application [remote code execution] RCE, they can use CVE-2025-62221 to escalate to system and take full control of the host,\u201d he explained.<\/p>\n

\u201cA kernel-level elevation in a widely deployed driver also enables sandbox or browser escape, turning limited execution into full OS compromise. With system privileges, attackers can deploy kernel components or abuse signed drivers to evade defenses and maintain persistence, and when combined with credential theft, this can quickly escalate to domain-wide compromise.\u201d<\/p>\n

Read more on Patch Tuesday: Microsoft Fixes Windows Kernel Zero Day in November Patch Tuesday<\/em><\/p>\n

Microsoft also issued patches for two zero-days\u00a0which have been publicly disclosed but not yet exploited in the wild.<\/p>\n

CVE-2025-54100 is an RCE vulnerability in PowerShell which affects how the Windows tool processes web content.<\/p>\n

\u201cIt lets an unauthenticated attacker execute arbitrary code in the security context of a user who runs a crafted PowerShell command, such as Invoke-WebRequest,\u201d explained Action1 co-founder, Alex Vovk.\u00a0\u00a0<\/p>\n

\u201cGiven the simplicity of the issue and PowerShell\u2019s central role in offensive tooling, PoC scripts are likely to be straightforward for researchers and attackers who can craft response bodies that trigger the vulnerable parser logic.\u201d<\/p>\n

The third zero-day is CVE-2025-64671,\u00a0an RCE flaw in GitHub Copilot\u00a0for Jetbrains.<\/p>\n

\u201cVia a malicious Cross Prompt Inject in untrusted files or MCP servers, an attacker could execute additional commands by appending them to commands allowed in the user\u2019s terminal auto-approve setting,\u201d said Microsoft.<\/p>\n

Elsewhere this month there were just three critical CVEs patched by Microsoft, all of which are classed as RCE.<\/p>\n

Two of these (CVE-2025-62554 and CVE-2025-62557) impact Microsoft Office, while the third (CVE-2025-62562) can be found in Outlook.<\/p>\n

All told, there were 19 RCE vulnerabilities listed in the December Patch Tuesday, and 28 EoP flaws.<\/p>\n

A Busy December For SysAdmins<\/h2>\n

It\u2019s proving to be a busy end to the year for sysadmins, who are already scrambling to find and patch the React2Shell flaw being widely exploited in attacks.<\/p>\n

Ivanti has also released patches as part of its monthly update cycle, including a fix for a stored XSS flaw (CVE-2025-10573) in Ivanti Endpoint Manager (EPM), which has a CVSS score of 9.6.<\/p>\n

\u201cAn attacker with unauthenticated access to the primary EPM web service can join fake managed endpoints to the EPM server in order to poison the administrator web dashboard with malicious JavaScript,\u201d explained Rapid7 director of vulnerability intelligence, Douglas McKee.<\/p>\n

\u201cWhen an\u00a0Ivanti\u00a0EPM administrator views one of the poisoned dashboard interfaces during normal usage, that passive user interaction will trigger client-side JavaScript execution, resulting in the attacker gaining control of the administrator\u2019s session.\u201d<\/p>\n<\/p><\/div>\n

Image credit:\u00a0Tada Images \/ Shutterstock.com<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Microsoft patched an actively exploited zero-day vulnerability as part of its monthly security update cycle yesterday. CVE-2025-62221 is an elevation of privilege (EoP) bug in the Windows Cloud Files Mini Filter Driver, which enables a low-privileged user to achieve system-level code execution through a kernel-mode use-after-free flaw.\u00a0 Although no confirmed proof-of-concept (PoC) is available, it\u2019s<\/p>\n","protected":false},"author":2,"featured_media":3852,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3851","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3851-a277b42f-ad53-4c17-8d53-d23ae60158e3.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3851-a277b42f-ad53-4c17-8d53-d23ae60158e3-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3851-a277b42f-ad53-4c17-8d53-d23ae60158e3.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3851-a277b42f-ad53-4c17-8d53-d23ae60158e3.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3851-a277b42f-ad53-4c17-8d53-d23ae60158e3.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3851-a277b42f-ad53-4c17-8d53-d23ae60158e3.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3851-a277b42f-ad53-4c17-8d53-d23ae60158e3.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3851-a277b42f-ad53-4c17-8d53-d23ae60158e3.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3851-a277b42f-ad53-4c17-8d53-d23ae60158e3.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3851-a277b42f-ad53-4c17-8d53-d23ae60158e3.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3851-a277b42f-ad53-4c17-8d53-d23ae60158e3-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3851","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3851"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3851\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3852"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3851"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3851"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3851"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}