Microsoft patched an actively exploited zero-day vulnerability as part of its monthly security update cycle yesterday.
CVE-2025-62221 is an elevation of privilege (EoP) bug in the Windows Cloud Files Mini Filter Driver, which enables a low-privileged user to achieve system-level code execution through a kernel-mode use-after-free flaw.
Although no confirmed proof-of-concept (PoC) is available, it’s likely that threat actors already have the requisite knowledge to exploit it, warned Action1 president, Mike Walters.
“The real impact of this vulnerability emerges when attackers chain it with other weaknesses. After gaining low-privileged access through phishing, a browser exploit or an application [remote code execution] RCE, they can use CVE-2025-62221 to escalate to system and take full control of the host,” he explained.
“A kernel-level elevation in a widely deployed driver also enables sandbox or browser escape, turning limited execution into full OS compromise. With system privileges, attackers can deploy kernel components or abuse signed drivers to evade defenses and maintain persistence, and when combined with credential theft, this can quickly escalate to domain-wide compromise.”
Read more on Patch Tuesday: Microsoft Fixes Windows Kernel Zero Day in November Patch Tuesday
Microsoft also issued patches for two zero-days which have been publicly disclosed but not yet exploited in the wild.
CVE-2025-54100 is an RCE vulnerability in PowerShell which affects how the Windows tool processes web content.
“It lets an unauthenticated attacker execute arbitrary code in the security context of a user who runs a crafted PowerShell command, such as Invoke-WebRequest,” explained Action1 co-founder, Alex Vovk.
“Given the simplicity of the issue and PowerShell’s central role in offensive tooling, PoC scripts are likely to be straightforward for researchers and attackers who can craft response bodies that trigger the vulnerable parser logic.”
The third zero-day is CVE-2025-64671, an RCE flaw in GitHub Copilot for Jetbrains.
“Via a malicious Cross Prompt Inject in untrusted files or MCP servers, an attacker could execute additional commands by appending them to commands allowed in the user’s terminal auto-approve setting,” said Microsoft.
Elsewhere this month there were just three critical CVEs patched by Microsoft, all of which are classed as RCE.
Two of these (CVE-2025-62554 and CVE-2025-62557) impact Microsoft Office, while the third (CVE-2025-62562) can be found in Outlook.
All told, there were 19 RCE vulnerabilities listed in the December Patch Tuesday, and 28 EoP flaws.
A Busy December For SysAdmins
It’s proving to be a busy end to the year for sysadmins, who are already scrambling to find and patch the React2Shell flaw being widely exploited in attacks.
Ivanti has also released patches as part of its monthly update cycle, including a fix for a stored XSS flaw (CVE-2025-10573) in Ivanti Endpoint Manager (EPM), which has a CVSS score of 9.6.
“An attacker with unauthenticated access to the primary EPM web service can join fake managed endpoints to the EPM server in order to poison the administrator web dashboard with malicious JavaScript,” explained Rapid7 director of vulnerability intelligence, Douglas McKee.
“When an Ivanti EPM administrator views one of the poisoned dashboard interfaces during normal usage, that passive user interaction will trigger client-side JavaScript execution, resulting in the attacker gaining control of the administrator’s session.”
Image credit: Tada Images / Shutterstock.com
