Tyler Reguly, Associate Director, Security R&D, Fortra
Let’s end the year with a statistic that I find somewhat interesting. In 2025, Microsoft patched 1275 vulnerabilities. Which should mean roughly 106 vulnerabilities each month, yet December only saw 70 vulnerabilities when you include the third-party CNA vulnerabilities. If all things were equal, December should account for 8.3% of all CVEs fixed by Microsoft, instead December only contains 5.5% of this year’s total CVEs. I suppose we can thank Microsoft for an early Christmas gift.
We’re ending the year with a vulnerability that is seeing active exploitation, the use-after-free vulnerability in the Windows Cloud Files Mini Filter (CVE-2025-62221). Given that this vulnerability is seeing active exploitation and could lead to SYSTEM level access, this should be the priority for patching this month.
There are two vulnerabilities that Microsoft has rated as Critical this month and it is probably more important that we discuss these than the two publicly disclosed vulnerabilities. For that reason, I would prioritize CVE-2025-62557 and CVE-2025-62554, a pair of use-after-free vulnerabilities in Office, over CVE-2025-54100 and CVE-2025-64671, command injection vulnerabilities in PowerShell and GitHub CoPilot for JetBrains. All 4 vulnerabilities are listed as exploitation less likely, but the Office vulnerabilities list the Preview Pane as an attack vector, and I always find that one of the scariest attack vectors that can be listed. Vulnerabilities that don’t rely on user interaction, are vulnerabilities that we want to pay attention to.
CISO’s this month should remember that their admins have remediated (or at least reviewed) 1275 vulnerabilities from just Microsoft alone this year. It’s been a long, vulnerability filled year for our security teams and I’d imagine they’re tired. Thankfully, Microsoft provided this gift of a smaller Patch Tuesday without too many high-profile items… let your teams relax a little as we wrap up the year, there’s enough other items to keep them busy without stressing over this Patch Tuesday release.
If I were in charge of all aspects of security for an enterprise as we wrap up the year and think about 2026 budgets, I’d probably be thinking about the two critical Office vulnerabilities that impact the Preview Pane and consider the email protections that I have in place and where I can make investments in 2026 to further improve the email security of my organization. Between “silent attacks” that utilize the preview pane, phishing, and all the other risks that come to us via email, it is one of the places where organizations can still do more to shore up their security posture and put themselves in a good place.
Related
This entry was posted on December 9, 2025 at 2:36 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
December Patch Tuesday Commentary From Fortra
Tyler Reguly, Associate Director, Security R&D, Fortra
Let’s end the year with a statistic that I find somewhat interesting. In 2025, Microsoft patched 1275 vulnerabilities. Which should mean roughly 106 vulnerabilities each month, yet December only saw 70 vulnerabilities when you include the third-party CNA vulnerabilities. If all things were equal, December should account for 8.3% of all CVEs fixed by Microsoft, instead December only contains 5.5% of this year’s total CVEs. I suppose we can thank Microsoft for an early Christmas gift.
We’re ending the year with a vulnerability that is seeing active exploitation, the use-after-free vulnerability in the Windows Cloud Files Mini Filter (CVE-2025-62221). Given that this vulnerability is seeing active exploitation and could lead to SYSTEM level access, this should be the priority for patching this month.
There are two vulnerabilities that Microsoft has rated as Critical this month and it is probably more important that we discuss these than the two publicly disclosed vulnerabilities. For that reason, I would prioritize CVE-2025-62557 and CVE-2025-62554, a pair of use-after-free vulnerabilities in Office, over CVE-2025-54100 and CVE-2025-64671, command injection vulnerabilities in PowerShell and GitHub CoPilot for JetBrains. All 4 vulnerabilities are listed as exploitation less likely, but the Office vulnerabilities list the Preview Pane as an attack vector, and I always find that one of the scariest attack vectors that can be listed. Vulnerabilities that don’t rely on user interaction, are vulnerabilities that we want to pay attention to.
CISO’s this month should remember that their admins have remediated (or at least reviewed) 1275 vulnerabilities from just Microsoft alone this year. It’s been a long, vulnerability filled year for our security teams and I’d imagine they’re tired. Thankfully, Microsoft provided this gift of a smaller Patch Tuesday without too many high-profile items… let your teams relax a little as we wrap up the year, there’s enough other items to keep them busy without stressing over this Patch Tuesday release.
If I were in charge of all aspects of security for an enterprise as we wrap up the year and think about 2026 budgets, I’d probably be thinking about the two critical Office vulnerabilities that impact the Preview Pane and consider the email protections that I have in place and where I can make investments in 2026 to further improve the email security of my organization. Between “silent attacks” that utilize the preview pane, phishing, and all the other risks that come to us via email, it is one of the places where organizations can still do more to shore up their security posture and put themselves in a good place.
Share this:
Like this:
Related
This entry was posted on December 9, 2025 at 2:36 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.