In the final release, Microsoft addressed approximately 60 new common vulnerabilities and exposures (CVEs). Patch Tuesday update on a challenging year for defenders, bringing the total number of deficiencies corrected this year to more than 1,100.
Of this month's flaws, three are rated as critical in severity, one is known to be actively used in the real world, and two are known to have public proof of concept but are not yet in use.
Exploitable vulnerability tracked as CVE-2025-62221affects the Windows Cloud Files mini-filter driver. It arises as a result use after free (UAF) state in which a program accesses memory after it has been freed, resulting in unpredictable and sometimes dangerous conditions. In this case, an attacker can use it to escalate their privileges on the victim system.
“While there is no confirmed public PoC for CVE-2025-62221, past research and PoC for related Cloud Files Minifilter issues suggest that attackers already understand the underlying techniques,” said Mike Walters, co-founder and CEO of the patch management company. Action1.
“The real impact of this vulnerability occurs when attackers link it to other vulnerabilities. Once they gain low-privilege access through phishing, a browser exploit, or an RCE application, they can use CVE-2025-62221 to escalate into the system and gain full control of the host.”
Walters warned that because Cloud Files are nearly ubiquitous and proven to be exploitable, the risk for defenders is how quickly the vulnerability becomes part of an attacker's attack chain. He said that since only low privileges are required for exploitation, users with weak least privilege practices or with widely used endpoints may run into problems.
Meanwhile, two publicly disclosed vulnerabilities this month involve remote code execution (RCE) issues, one of which affects PowerShell. CVE-2025-54100 – and another involving GitHub Copilot for Jetbrains – CVE-2205-64671.
The PowerShell vulnerability is due to a command injection flaw that exists in the way Windows PowerShell processes web content, which could allow an unauthenticated attacker to execute arbitrary code as a user who is allowed to run crafted PowerShell commands. Given the importance and role of PowerShell in offensive tools, exploitation is likely to be simple and likely to become more dangerous as part of a chain of social engineering attacks against privileged users.
Meanwhile, the GitHub Copilot vulnerability stands out as one of the more interesting bugs fixed this month. breathtaking Senior Director of Cyber Threat Research Kev Breen.
“Copilot is a GenAI coding assistant used by Microsoft and GitHub. [and] this vulnerability specifically relates to JetBrains extensions,” Brin explained. “The vulnerability states that it is possible to achieve code execution on affected hosts by tricking the LLM. [large language model] to run commands that bypass restrictions and add instructions to the user’s “auto-approval” settings.
“This can be achieved throughImplementing Cross Prompt“that is, the prompt is modified not by the user, but by LLM agents, as they create their own prompts based on the contents of files or data received from the Model Context Protocol (MCP) server, which has increased in popularity due to agent-based LLMs.”
Brin said that while Microsoft has flagged the vulnerability as less likely to be exploited, when using a risk-based patching approach, the developers it targets typically have more privileged access to API keys or other secrets. Therefore, he added, anyone using GitHub Copilot for JetBrains should make the corrections immediately.
Finally, this month's three critical bugs are all RCE vulnerabilities. Two of them CVE-2025-62554 And CVE-2025-63557affect Microsoft Office and third, CVE-2025-65272 can be found in Outlook.
Do you want to become a record holder?
Looking back on the past year in his monthly Patch Tuesday reviewDustin Childs of the Trend Micro Zero Day Initiative reported that Microsoft has patched a total of 1,139 CVEs over the past 12 months, making 2025 the second-largest year ever in terms of volume, just 111 CVEs less than 2020.
Childs wrote that as Microsoft's portfolio diversifies and grows in scale, and as vulnerabilities arising from artificial intelligence (AI) become more common, 2026 looks set to be a record year.
