Microsoft fixes essential Workplace zero-day safety flaw. Replace ASAP!
Abstract created by Sensible Solutions AI
In abstract:
- PCWorld experiences that Microsoft launched essential safety updates fixing 15 Workplace vulnerabilities, together with 14 distant code execution flaws affecting Excel, Phrase, Outlook, and Entry.
- One zero-day vulnerability (CVE-2025-62221) is actively being exploited within the wild, whereas two essential flaws could be triggered just by previewing malicious recordsdata.
- Customers should replace instantly as these vulnerabilities pose critical safety dangers, with assaults doable by primary file interactions in Workplace functions.
Yesterday was Microsoft’s large “Patch Tuesday,” which unleashed varied safety updates in opposition to 56 new vulnerabilities. This rounds out the yr with a whopping complete of 1,139 vulnerabilities mounted all through 2025. Along with Home windows and Workplace, these fixes additionally have an effect on Azure, Copilot, Defender, Alternate, and PowerShell.
The following large replace is scheduled for January thirteenth, 2026. Right here’s a deeper take a look at all the safety fixes throughout Microsoft’s services.
Microsoft Home windows vulnerabilities
A big proportion of the vulnerabilities—38 this time—are unfold throughout the varied Home windows variations (Home windows 10, Home windows 11, and Home windows Server) for which Microsoft nonetheless affords safety updates.
Home windows 10 continues to be named as an affected system, despite the fact that assist formally resulted in October. This wasn’t the case with Home windows 7, regardless of the ESU programme (Prolonged Safety Updates).
CVE-2025-62221 is a high-risk Elevation of Privilege (EoP) vulnerability within the cloud file mini-filter driver that’s already being exploited for assaults within the wild. A profitable attacker may even execute their code with system-level rights by combining this use-after-free (UAF) vulnerability with a Distant Code Execution (RCE) vulnerability, of which there are a lot. All supported Home windows variations are weak.
With CVE-2025-62454 and CVE-2025-62457, Microsoft has patched two extra of the identical kind, however they aren’t being actively exploited.
Though there aren’t any Home windows vulnerabilities categorized as essential this month, Microsoft has mounted some probably harmful ones. For instance, there’s an EoP and two Denial of Service (DoS) vulnerabilities within the DirectX graphics core. With CVE-2025-54100, Microsoft has eradicated a problematic RCE flaw in PowerShell that was already publicly identified upfront. The Routing and Distant Entry Service (RRAS) can also be as soon as once more represented with three safety vulnerabilities, together with CVE-2025-62549 (an RCE vulnerability).
Microsoft Workplace vulnerabilities
Microsoft classifies two of the Workplace vulnerabilities as essential. Based on Microsoft, one in all them is already being exploited for assaults within the wild. We’ve gotten sparse particulars on the opposite vulnerabilities, which aren’t actually searchable within the Safety Replace Information.
Microsoft has mounted 15 vulnerabilities in its Workplace household of merchandise, together with 14 RCE vulnerabilities. Microsoft classifies two of those RCE vulnerabilities (CVE-2025-62554 and CVE-2025-62557) as essential, with the preview window being an assault vector. This implies a profitable assault can occur just by clicking on a file that’s displayed within the preview, even when the consumer by no means really opens it.
Microsoft categorizes the opposite Workplace vulnerabilities as excessive danger. Right here, a consumer should really open a ready file for the exploit code to take impact (“open to personal”). Six of those vulnerabilities have an effect on Excel, three are in Phrase, and one every in Outlook and Entry.
Microsoft Alternate vulnerabilities
Microsoft has mounted two vulnerabilities in Alternate Server. CVE-2025-64666 is an EoP vulnerability that was reported to Microsoft by the NSA. The second vulnerability, CVE-2025-64667, is a spoofing vulnerability.
Anybody nonetheless working with Alternate Server 2016 or 2019 could stay unprotected regardless of these updates, as each obtained their final updates in October. Happily, there’s a six-month ESU program for Alternate that runs till Patch Tuesday in April 2026.
Microsoft Edge vulnerabilities
The newest safety replace to Edge 143.0.3650.66 was launched on December 4th and is predicated on Chromium 143.0.7499.41. It fixes a number of Chromium vulnerabilities. Microsoft has additionally mounted an Edge-specific vulnerability (CVE-2025-62223).
This text initially appeared on our sister publication PC-WELT and was translated and localized from German.
