ZDI: The December 2025 Security Update Review

[Gandalf_The_Grey]

Content source

https://www.zerodayinitiative.com/blog/2025/12/9/the-december-2025-security-update-review

It’s the final patch Tuesday of 2025, but that doesn’t make it any less exciting. Put aside your holiday planning for just a moment as we review the latest security offering from Adobe and Microsoft. If you’d rather watch the full video recap covering the entire release, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Adobe Patches for December 2025

For December, Adobe released five bulletins addressing 139 unique CVEs in Adobe Reader, ColdFusion, Experience Manager, Creative Cloud Desktop, and the Adobe DNG Software Development Kit (SDK). Don’t panic at that large of a CVE count. Most of those are simple cross-site scripting (XSS) bugs in Adobe Experience Manager. There are a few Critical-rated DOM-based XSS bugs in the mix, so don’t ignore this patch by any means – just don’t panic at the large number of CVEs. I wouldn’t panic over the update for ColdFusion either, but Adobe does set the deployment priority for this fix as 1. They note there are no known active attacks for the CVEs, but there are several arbitrary code execution bugs being fixed. Also, if you’re running ColdFusion, make sure you check out one of their lockdown guides. The one for ColdFusion 2025 can be found here.

The update for Adobe Reader is smaller than expected, with only two of the four CVEs addressed leading to code execution. Not that I’m complaining – I just expected more. The patch for the Adobe DNG Software Development Kit also fixes four CVEs, with one of those leading to code execution. Finally, the update for Creative Cloud Desktop fixes a single Important-rated bug.

Microsoft Patches for December 2025

Microsoft ends the year by releasing a paltry 56 new CVEs in Windows and Windows components, Office and Office Components, Microsoft Edge (Chromium-based), Exchange Server, Azure, Copilot, PowerShell, and Windows Defender. One of these bugs came through the ZDI program. Of the patches released today, three are rated Critical while the rest are rated Important in severity. Counting the third-party Chromium updates listed in the release, it brings to total number of CVEs to 70.

Counting the CVEs released today, that being Microsoft’s total count to 1,139 CVEs patched in 2025. Again, this is not counting the numerous updates for Azure Linux and CBL Mariner released earlier this month as these should be considered Linux CVEs being applied to Azure properties. That makes 2025 the second-largest year in volume, trailing 2020 by a mere 111 CVEs. AS Microsoft’s portfolio continues to increase and as AI bugs become more prevalent, this number is likely to go higher in 2026.

Microsoft lists one bug under active attack, but two others as publicly known at the time of the release.

Looking Ahead

We start the patch process again in 2026 on January 13, and I’ll be back then with my analysis and thoughts about the release. Until then, merry christmahanakwanzika, stay safe, happy patching, and may all your reboots be smooth and clean!

Zero Day Initiative — The December 2025 Security Update Review

It’s the final patch Tuesday of 2025, but that doesn’t make it any less exciting. Put aside your holiday planning for just a moment as we review the latest security offering from Adobe and Microsoft. If you’d rather watch the full video recap covering the entire release, you can check it out here:

www.zerodayinitiative.com

 

[Bot]

Zero Day Initiative — The December 2025 Security Update Review

It’s the final patch Tuesday of 2025, but that doesn’t make it any less exciting. Put aside your holiday planning for just a moment as we review the latest security offering from Adobe and Microsoft. If you’d rather watch the full video recap covering the entire release, you can check it out here:

www.zerodayinitiative.com

Thanks for sharing, that’s a very useful recap for the last Patch Tuesday of the year.

Key takeaways from the article

• Adobe shipped 5 bulletins / 139 CVEs covering:
  • Experience Manager: bulk of the CVEs, mostly XSS (including some Critical DOM-based XSS → don’t ignore if you run AEM).
  • ColdFusion: several arbitrary code execution bugs, deployment priority 1 but no known active exploits yet. Adobe strongly recommends following the ColdFusion 2025 lockdown guide.
  • Acrobat/Reader: 4 CVEs, 2 leading to code execution.
  • DNG SDK: 4 CVEs, 1 leading to code execution.
  • Creative Cloud Desktop: 1 Important-rated bug.
• Microsoft patched 56 new CVEs (70 including Chromium):
  • Affects Windows, Office, Edge (Chromium), Exchange, Azure, Copilot, PowerShell, Windows Defender, etc.
  • 3 Critical, the rest Important.
  • 1 vulnerability is under active attack and 2 are publicly known.
  • Microsoft’s total for 2025: 1,139 CVEs – second highest year after 2020.

What this means for home users

• Run Windows Update and install the December 2025 cumulative updates, browser, and .NET/Office patches.
• Update Adobe Acrobat/Reader and Creative Cloud Desktop through their built‑in updaters.
• As always, make or verify a recent backup before patching (especially if you defer reboots on a production machine).

What this means for admins / power users

• Prioritize:
  • The Microsoft vuln reported as actively exploited, and any Critical RCE.
  • Adobe ColdFusion (priority 1, multiple code‑execution issues).
  • Adobe Experience Manager if exposed to the internet (Critical DOM XSS).
• Check:
  • Official Microsoft Security Update Guide for the exploited and publicly known CVEs and map them to your estate.
  • Adobe’s ColdFusion 2025 Lockdown Guide and apply hardening where possible.
• Stage and test December patches on a pilot group before broad deployment, watching for:
  • Authentication/printing/Exchange issues.
  • Application compatibility problems, especially on servers.

Bottom line
Even though it’s a smaller Microsoft month by 2025 standards, there’s at least one exploited bug plus multiple code‑execution issues across Adobe and Microsoft. For most users: update promptly, have a backup in place, and let the community know here if you hit any issues with the December patches.

 

[Sorrento]

All OK here, quite a fast update

 

[Zero Knowledge]

1,139 CVEs patched in 2025

I don't know if thats good or bad? Mixed emotions on this figure.

 

[Victor M]

I was scanning the directories and found that some ACLs were fixed up.