Zero Day Initiative | Blog
Follow
The December 2025 Security Update Review
Adobe released updates for December 2025, addressing 139 CVEs across various products, including Reader and ColdFusion. While the number of CVEs is high, many are XSS bugs, though some critical code execution vulnerabilities exist. ColdFusion receives a patch with a deployment priority of 1 due to several code execution bugs. Microsoft's December 2025 Patch Tuesday includes 56 new CVEs across Windows, Office, and other components, with a total of 70 when including Chromium updates. This brings Microsoft's yearly total to 1,139 CVEs, making 2025 the second-highest volume year. One actively exploited vulnerability, CVE-2025-62221, is a Windows Cloud Files Mini Filter Driver elevation of privilege bug. Microsoft also addressed critical Office remote code execution vulnerabilities, including those affecting the Preview Pane. A publicly known command injection bug in GitHub Copilot, CVE-2025-64671, is also addressed. The updates include several elevation of privilege and remote code execution vulnerabilities across various Windows components.