Happy December Patch Tuesday to all who celebrate. This month’s patch party includes one Microsoft flaw under exploitation, plus two others listed as publicly known – but just 57 CVEs in total from Redmond.

There’s also a fix for a critical Notepad++ bug that, according to security sleuth Kevin Beaumont, is being abused by attackers in China.

Plus, software security vendors Ivanti and Fortinet both issued patches for critical security holes in their products, so those two should be high on sys-admins’ and security teams’ list of things to do today.

Microsoft patches

Let’s start our look at Microsoft’s relatively quiet final patch-a-thon for 2025 by considering CVE-2025-62221, a 7.8-CVSS-rated Windows Cloud Files Mini Filter Driver vulnerability that allows an authorized attacker to elevate privileges locally.

This one was exploited as a zero-day, according to Redmond, and while we don’t yet know who is abusing this security hole, “privilege escalation vulnerabilities are observed in almost every incident involving host compromises, making this a critical vulnerability to patch to limit an attacker’s capabilities,” Kev Breen, senior director of cyber threat research at Immersive, told The Register.

To exploit this bug, an attacker must already have code execution rights on the targeted system, but assuming they’ve already achieved this, they can then abuse CVE-2025-62221 to escalate privileges and gain system-level access. So prioritize patching this one first.

The two Redmond vulnerabilities listed as publicly known but not (yet) exploited are CVE-2025-54100, a PowerShell Remote Code Execution (RCE) flaw that earned a 7.8 CVSS rating, and CVE-2025-64671, an 8.4-severity GitHub Copilot for Jetbrains bug that can lead to RCE.

CVE-2025-64671 is listed as a local, but as Trend Micro’s Zero Day Initiative chief bug hunter Dustin Childs, noted: “It’s likely that a remote attacker could socially engineer someone to trigger the command injection.”

“By exploiting a malicious cross-prompt injection in untrusted files or Model Context Protocol (MCP) servers, an attacker could piggyback extra commands onto those permitted by the user’s terminal auto-approve settings, causing them to be executed without further confirmation,” Childs continued. “I expect we’ll see many more bugs like these in 2026.”

Details about all 57 CVEs are available here

.

Notepad++ under attack

Also on Tuesday, Notepad++ released v8.8.9, which fixes a critical flaw in the open-source text and source code editor for Windows. This bug was being abused to hijack traffic from WinGUp (the Notepad++ updater), redirect it to malicious servers, and then trick people into downloading malware, thinking they’re downloading the latest software release.

The fix followed security researchers’ reports (including this one from Beaumont) about hijacking incidents, and in a social media post on Tuesday Beaumont said attackers from China were poking holes in the flaw.

According to the project’s maintainer, Don Ho, the review of these reports “led to identification of a weakness in the way the updater validates the integrity and authenticity of the downloaded update file. In case an attacker is able to intercept the network traffic between the updater client and the Notepad++ update infrastructure, this weakness can be leveraged by an attacker to prompt the updater to download and executed an unwanted binary (instead of the legitimate Notepad++ update binary).”

Updating to v8.8.9 mitigates the issue.

Fortinet’s critical fix

In other Patch Tuesday news, Fortinet fixed two critical vulnerabilities in its products. The flaws, tracked as CVE-2025-59718 and CVE-2025-59719, earned a critical 9.1 CVSS rating and affect FortiOS, FortiWeb, FortiProxy and FortiSwitchManager.

They allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication using a crafted SAML message – but only if that login method is enabled on the device.

“Please note that the FortiCloud SSO login feature is not enabled in default factory settings. However, when an administrator registers the device to FortiCare from the device’s GUI, unless the administrator disables the toggle switch ‘Allow administrative login using FortiCloud SSO’ in the registration page, FortiCloud SSO login is enabled upon registration,” according to the vendor.

If you don’t want to fall victim to attackers exploiting these flaws, turn off the FortiCloud login feature until you’ve upgraded to a non-affected version.

These two critical bugs follow last month’s disclosures of two bugs exploited as zero-days in Fortinet’s FortiWeb web application firewall.

Everyone loves exploiting Ivanti EPM

Meanwhile, a critical, now-patched bug in Ivanti’s Endpoint Manager (EPM) product can allow an unauthenticated attacker to remotely execute malicious code.

The vendor on Tuesday disclosed the cross-site scripting flaw, tracked as CVE-2025-10573, and said the latest software update, version EPM 2024 SU4 SR1, fixes the 9.6 CVSS-rated vulnerability.

“We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure,” the company’s security advisory noted.

But considering that abusing this hole in Ivanti’s endpoint management tool could give attackers access to all of their client devices across Windows, macOS, Linux, Chrome OS, and IoT – and that China really likes breaking into buggy Ivanti gear for cyber-spying and botnet-building purposes – don’t leave this patch behind.

Rapid7 security researcher Ryan Emmons disclosed the bug to Ivanti, and in a subsequent Tuesday blog detailed how an “attacker with unauthenticated access to the primary EPM web service can join fake managed endpoints to the EPM server in order to poison the administrator web dashboard with malicious JavaScript.”

Then, when an EPM admin views one of these poisoned dashboard interfaces, “that passive user interaction will trigger client-side JavaScript execution, resulting in the attacker gaining control of the administrator’s session,” he added.

While Rapid7 director of vulnerability intelligence Doug McKee told The Register that his threat hunting team isn’t aware of active exploitation, “now that the vulnerability has been publicly disclosed and patched … the likelihood of attackers reverse engineering the update to target internet-exposed systems is high.”

“Widespread scanning and exploitation attempts are likely to follow soon, as the attack requires no credentials to stage and successfully grants full session control once an administrator views the poisoned dashboard,” he added. ®