MS Family December 2025 Routine Security Update Advisory
Overview
Microsoft(https://www.microsoft.com) has released a security update that fixes vulnerabilities in products it has supplied. Users of affected products are advised to update to the latest version.
Affected Products
Azure Family
Azure Monitor Agent
ESU Family
Microsoft Exchange Server 2016 Cumulative Update 23
Microsoft Exchange Server 2019 Cumulative Update 14
Microsoft Exchange Server 2019 Cumulative Update 15
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Microsoft Office Suite
Microsoft 365 Apps for Enterprise for 32-bit Systems
Microsoft 365 Apps for Enterprise for 64-bit Systems
Microsoft Access 2016 (32-bit edition)
Microsoft Access 2016 (64-bit edition)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office LTSC 2021 for 32-bit editions
Microsoft Office LTSC 2021 for 64-bit editions
Microsoft Office LTSC 2024 for 32-bit editions
Microsoft Office LTSC 2024 for 64-bit editions
Microsoft Office LTSC for Mac 2021
Microsoft Office LTSC for Mac 2024
Microsoft Office for Android
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Server 2019
Microsoft SharePoint Server Subscription Edition
Microsoft Word 2016 (32-bit edition)
Microsoft Word 2016 (64-bit edition)
Office Online Server
Open Source Software Suite
Azl3 kernel 6.6.112.1-2 on Azure Linux 3.0
Azl3 kernel 6.6.117.1-1 on Azure Linux 3.0
Azl3 vim 9.1.1616-1 on Azure Linux 3.0
Cbl2 vim 9.1.1616-1 on CBL Mariner 2.0
Other suites
GitHub Copilot Plugin for JetBrains IDEs
Server Software Suites
Microsoft Exchange Server Subscription Edition RTM
Windows Family
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 10 Version 22H2 for 32-bit Systems
Windows 10 Version 22H2 for ARM64-based Systems
Windows 10 Version 22H2 for x64-based Systems
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 11 Version 22H2 for ARM64-based Systems
Windows 11 Version 22H2 for x64-based Systems
Windows 11 Version 23H2 for ARM64-based Systems
Windows 11 Version 23H2 for x64-based Systems
Windows 11 Version 24H2 for ARM64-based Systems
Windows 11 Version 24H2 for x64-based Systems
Windows 11 Version 25H2 for ARM64-based Systems
Windows 11 Version 25H2 for x64-based Systems
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows Server 2022 (Server Core installation)
Windows Server 2022, 23H2 Edition (Server Core installation)
Windows Server 2025
Windows Server 2025 (Server Core installation)
Resolved Vulnerabilities
2 vulnerabilities rated Critical and 58 vulnerabilities rated Important were found.
Azure Family
Critical-rated remote code execution vulnerability in Azure Monitor Agent (CVE-2025-62550)
ESU family
Critical elevation of privilege vulnerability in Microsoft Exchange Server (CVE-2025-64666)
Microsoft Office Suite
Critical remote code execution vulnerability in Microsoft Office Access (CVE-2025-62552)
Critical remote code execution vulnerabilities in Microsoft Office Excel (CVE-2025-62561, CVE-2025-62563, CVE-2025-62564, CVE-2025-62553, CVE-2025-62556, CVE-2025-62560)
Critical remote code execution vulnerability in Microsoft Office Outlook (CVE-2025-62562)
Critical spoofing vulnerability in Microsoft Office SharePoint (CVE-2025-64672)
Critical-rated remote code execution vulnerabilities in Microsoft Office Word (CVE-2025-62555, CVE-2025-62558, CVE-2025-62559)
Urgent-rated remote code execution vulnerabilities in Microsoft Office (CVE-2025-62554, CVE-2025-62557)
Open Source Software Suites
Moderate-rated vulnerabilities in Mariner (CVE-2025-40307, CVE-2025-40301, CVE-2025-40297, CVE-2025-40303, CVE-2023-53749, CVE-2025-40308, CVE-2025-40309, CVE-2025-40305, CVE-2025-40293, Cve-2025-40292, cve-2025-40306, cve-2025-40315, cve-2025-40317, cve-2025-40321, cve-2025-40304, cve-2025-40313, cve-2025-40294, cve-2025-40310, cve-2025-40323, cve-2025-40311, cve-2025-40322, cve-2025-40324)
Critical-rated vulnerabilities in Mariner (CVE-2025-66476, CVE-2025-40314, CVE-2025-40319, CVE-2025-40312)
Other Products
Critical remote code execution vulnerability in Copilot (CVE-2025-64671)
Server Software Family
Critical spoofing vulnerability in Microsoft Exchange Server (CVE-2025-64667)
Windows Family
Critical elevation of privilege vulnerability in Application Information Services (CVE-2025-62572)
Critical elevation of privilege vulnerabilities in Microsoft Brokering File System (CVE-2025-62469, CVE-2025-62569)
Critical information disclosure vulnerability in Microsoft Graphics Component (CVE-2025-64670)
Critical elevation of privilege vulnerability in Storvsp.sys Driver (CVE-2025-64673)
Critical information disclosure vulnerability in Windows Camera Frame Server Monitor (CVE-2025-62570)
Critical elevation of privilege vulnerability in Windows Client-Side Caching (CSC) Service (CVE-2025-62466)
Critical elevation of privilege vulnerabilities in Windows Cloud Files Mini Filter Driver (CVE-2025-62454, CVE-2025-62457, CVE-2025-62221)
Critical elevation of privilege vulnerability in Windows Common Log File System Driver (CVE-2025-62470)
Critical elevation of privilege vulnerability in Windows DWM Core Library (CVE-2025-64679, CVE-2025-64680)
Critical information disclosure vulnerability in Windows Defender Firewall Service (CVE-2025-62468)
Critical elevation of privilege vulnerability in Windows DirectX (CVE-2025-62573)
Critical denial of service vulnerabilities in Windows DirectX (CVE-2025-62463, CVE-2025-62465)
Critical Denial of Service Vulnerability in Windows Hyper-V (CVE-2025-62567)
Critical elevation of privilege vulnerability in Windows Installer (CVE-2025-62571)
Critical elevation of privilege vulnerability in Windows Message Queuing (CVE-2025-62455)
Critical remote code execution vulnerability in Windows PowerShell (CVE-2025-54100)
Critical elevation of privilege vulnerability in Windows Projected File System Filter Driver (CVE-2025-62461)
Critical elevation of privilege vulnerabilities in Windows Projected File System (CVE-2025-62462, CVE-2025-62464, CVE-2025-55233, CVE-2025-62467)
Critical elevation of privilege vulnerabilities in Windows Remote Access Connection Manager (CVE-2025-62472, CVE-2025-62474)
Critical remote code execution vulnerability in Windows Resilient File System (ReFS) (CVE-2025-62456)
Critical remote code execution vulnerability in Windows Routing and Remote Access Service (RRAS) (CVE-2025-62549, CVE-2025-64678)
Critical information disclosure vulnerability in Windows Routing and Remote Access Service (RRAS) (CVE-2025-62473)
Critical elevation of privilege vulnerabilities in Windows Shell (CVE-2025-64658, CVE-2025-62565, CVE-2025-64661)
Critical elevation of privilege vulnerabilities in Windows Storage VSP Driver (CVE-2025-59516, CVE-2025-59517)
Critical elevation of privilege vulnerability in Windows Win32K – GRFX (CVE-2025-62458)
Vulnerability Patches
Product-specific Vulnerability Patches were made available in the December 09, 2025 Update. Please use the Windows Update feature for automatic installation or refer to the URLs in the product information below to download and install.