Microsoft fixes critical Office zero-day security flaw. Update ASAP!
Yesterday was Microsoft’s big “Patch Tuesday”, which released various security updates against 56 new vulnerabilities. This rounds out the year with a whopping total of 1,139 vulnerabilities patched throughout 2025. In addition to Windows and Office, these patches also affect Azure, Copilot, Defender, Exchange, and PowerShell.
The next big update is scheduled for January 13, 2026. Here’s a closer look at all security fixes for Microsoft products and services.
Microsoft Windows vulnerabilities
A large part of the vulnerabilities – 38 this time – are distributed across the different versions of Windows (Windows 10, Windows 11 and Windows Server) for which Microsoft always offers security updates.
Windows 10 continues to be cited as an affected system, even though support officially ended in October. This was not the case under Windows 7, despite the ESU (Extended Security Updates) program.
CVE-2025-62221 is a high-risk elevation of privilege (EoP) vulnerability in the Cloud File Mini-Filter driver that is already being exploited for wildcat attacks. An effective attacker can even execute their code with system-level rights by combining this use-after-free (UAF) vulnerability with a remote code execution (RCE) vulnerability, which exists in large numbers. All supported versions of Windows are vulnerable.
With CVE-2025-62454 and CVE-2025-62457, Microsoft has fixed two more of the same type, but they are not actively exploited.
Although no Windows vulnerabilities were classified as critical this month, Microsoft has patched some potentially dangerous ones. For example, there is one EoP vulnerability and two denial of service (DoS) vulnerabilities in the DirectX graphics core. With CVE-2025-54100, Microsoft has closed a problematic RCE flaw in PowerShell that was already publicly known in advance. Routing and Remote Access Service (RRAS) is also once again represented by three security vulnerabilities, including CVE-2025-62549 (an RCE vulnerability).
Microsoft Office vulnerabilities
Microsoft classifies two of Office’s vulnerabilities as critical. According to Microsoft, one of them is already being exploited for wild attacks. We got little detail on the other vulnerabilities, which aren’t really viewable in the Security Update Guide.
Microsoft has fixed 15 vulnerabilities in its Office family of products, including 14 RCE vulnerabilities. Microsoft classifies two of these RCE vulnerabilities (CVE-2025-62554 and CVE-2025-62557) as critical, with the preview window being an attack vector. This means that a successful attack can occur simply by clicking on a file displayed in the preview, even if the user never actually opens it.
Microsoft classifies other Office vulnerabilities as high risk. Here, a user must actually open a prepared file for the exploit to take effect (“open to own”). Six of these vulnerabilities affect Excel, three in Word and one each in Outlook and Access.
Microsoft Exchange vulnerabilities
Microsoft has fixed two vulnerabilities in Exchange Server. CVE-2025-64666 is an EoP vulnerability reported to Microsoft by the NSA. The second vulnerability, CVE-2025-64667, is an impersonation vulnerability.
Anyone still working with Exchange Server 2016 or 2019 may not be protected despite these updates, as both received their last updates in October. Fortunately, there is a six-month ESU program for Exchange that runs until Patch Tuesday in April 2026.
Microsoft Edge vulnerabilities
The latest security update for Edge 143.0.3650.66 was released on December 4 and is based on Chromium 143.0.7499.41. It fixes several Chromium vulnerabilities. Microsoft also fixed an Edge-specific vulnerability (CVE-2025-62223).
