Microsoft December 2025 Patch Tuesday: Zero-Day in Cloud Files Driver and Critical RCE in PowerShell
Summary: Microsoft’s December 2025 Patch Tuesday addresses 56 security vulnerabilities across Windows and associated software, including one actively exploited zero-day privilege escalation flaw in the Windows Cloud Files Mini Filter Driver and a critical remote code execution vulnerability in Windows PowerShell. The update also resolves a high-severity RCE in the GitHub Copilot plugin for JetBrains IDEs, highlighting risks in AI-assisted development tools.
Zero-Day Privilege Escalation in Windows Cloud Files Mini Filter Driver
Microsoft has patched CVE-2025-62221, a zero-day privilege escalation vulnerability in the Windows Cloud Files Mini Filter Driver, which is used by cloud storage providers such as OneDrive and other cloud file sync clients. The flaw exists in the kernel-mode driver responsible for intercepting and managing file system operations for cloud-backed files, allowing non-administrative users to elevate privileges to SYSTEM level.
The vulnerability stems from improper validation of user-supplied input when handling certain file system control codes (IOCTLs). An attacker with local access to a Windows 10 or later system can craft a malicious IOCTL request that triggers an out-of-bounds memory access or use-after-free condition in the driver, leading to arbitrary kernel memory manipulation. Exploitation does not require authentication beyond a standard user account and can be combined with other vulnerabilities to achieve full system compromise.
Microsoft classifies this as a high-severity elevation of privilege issue and notes that it is already being exploited in targeted attacks. The affected component is part of the Windows Filter Manager framework and is loaded by default on systems with cloud storage integration enabled. Administrators should prioritize patching systems where cloud file sync services are in use, particularly in enterprise environments with shared or kiosk-style workstations.
Remote Code Execution in Windows PowerShell
CVE-2025-54100 is a critical remote code execution vulnerability in Windows PowerShell, affecting Windows Server 2008 and later versions. The flaw allows an unauthenticated attacker to execute arbitrary code in the context of the current user by sending a specially crafted request to a PowerShell remoting endpoint or by tricking a user into opening a malicious script or configuration file.
The vulnerability resides in the deserialization logic of PowerShell’s remoting and configuration subsystems. When processing certain serialized objects or configuration data, PowerShell fails to properly validate the object type and origin, enabling an attacker to inject and execute arbitrary .NET objects or scripts. Successful exploitation can lead to full system compromise if the targeted user has administrative privileges.
This flaw is particularly concerning in environments where PowerShell remoting is enabled for management, automation, or orchestration tasks. Organizations should review PowerShell remoting configurations, restrict access to trusted networks, and ensure that only necessary users have elevated PowerShell privileges. Immediate application of the December 2025 update is strongly recommended for all Windows servers and workstations where PowerShell is in use.
Remote Code Execution in GitHub Copilot Plugin for JetBrains IDEs
CVE-2025-64671 is a high-severity remote code execution vulnerability in the GitHub Copilot plugin for JetBrains IDEs, used by developers in Microsoft and GitHub ecosystems. The flaw allows an attacker to execute arbitrary code on a developer’s machine by manipulating the large language model (LLM) responses in a way that bypasses built-in guardrails and modifies the user’s auto-approve settings.
The vulnerability arises from insufficient input validation and over-trust in the LLM-generated code suggestions. When a developer uses Copilot’s auto-approve feature, certain crafted prompts or responses can cause the plugin to execute commands outside the intended sandbox, including writing to the file system, modifying configuration files, or executing external binaries. Attackers can exploit this by hosting malicious code repositories or documentation that, when referenced by the LLM, trigger the execution of unintended commands on the developer’s workstation.
This issue underscores the growing attack surface introduced by AI-assisted development tools. Organizations should review their Copilot usage policies, disable auto-approve features in production or sensitive environments, and implement strict code review and static analysis controls for AI-generated code. Developers should treat Copilot suggestions with the same scrutiny as any third-party code and avoid blindly accepting or executing generated snippets.
Overall Patch Volume and Enterprise Recommendations
Microsoft’s December 2025 update resolves a total of 56 vulnerabilities, including 11 rated Critical, 44 rated Important, and 1 rated Moderate. The update covers a wide range of components, including Windows Kernel, Windows Defender, Windows App Platform, and various server and client applications.
From a risk-based prioritization standpoint, organizations should focus first on systems exposed to the internet, servers with PowerShell remoting enabled, and developer workstations using AI-assisted coding tools. Patch deployment should be accompanied by a reboot where required, as some kernel-level fixes will not take effect until the system is restarted. Enterprises should also review their vulnerability management dashboards to identify unpatched systems and ensure that all Windows 10 and later endpoints are updated before the end of the current patch window.
ShadyPanda Campaign: Browser Extension Espionage Affecting 4.3 Million Users
Summary: A long-running espionage campaign attributed to the ShadyPanda threat group has compromised approximately 4.3 million users by weaponizing legitimate Google Chrome and Microsoft Edge browser extensions. The attackers abused the browser extension ecosystem by updating previously benign extensions with spyware and remote code execution capabilities, enabling large-scale data theft and persistent access to affected endpoints.
Operation and Infrastructure
ShadyPanda has been active for at least seven years, focusing on espionage and financial fraud. The group operates by acquiring or compromising legitimate browser extensions that have already passed store review processes and hold “Featured” or “Verified” badges. Once an extension is under their control, they push malicious updates that introduce telemetry collection, keylogging, and remote command execution capabilities.
The extensions are distributed through official browser stores, giving them an appearance of legitimacy. The attackers leverage the trust associated with verified developers and popular extensions to bypass user skepticism and security controls. In some cases, extensions are promoted through paid advertising or search engine optimization to increase their install base before the malicious update is deployed.
Technical Mechanisms and Data Exfiltration
The weaponized extensions use a combination of content scripts, background scripts, and injected iframes to monitor user activity. They collect browsing history, search queries, visited URLs, form data, and cookies, which are then exfiltrated to attacker-controlled command-and-control servers. Some variants also implement remote code execution by dynamically injecting malicious JavaScript into web pages or by abusing extension APIs to execute arbitrary code in the context of the browser.
The collected data includes sensitive corporate information such as API keys, authentication tokens, and internal documentation, making this campaign particularly dangerous for enterprise users. The extensions often remain undetected by traditional endpoint protection because they operate within the browser’s trusted execution environment and use legitimate APIs for data access and communication.
Supply Chain and Enterprise Risk
This campaign highlights systemic weaknesses in browser extension review and monitoring processes. Enterprises that rely on managed browsers and extension whitelisting must treat browser extensions as a supply chain risk. Attackers can compromise a single extension vendor and, through a single update, gain access to a large number of corporate endpoints.
Organizations should implement strict extension management policies, including approval workflows for new extensions, regular audits of installed extensions, and monitoring for unusual network activity from browser processes. Endpoint detection and response solutions should be configured to detect anomalous behavior from browser extensions, such as unexpected outbound connections or attempts to access sensitive local files.
Defensive Recommendations
Enterprises should immediately review their browser extension inventory and remove any extensions that are not essential for business operations. For extensions that must remain, administrators should ensure that they are from reputable vendors and that automatic updates are controlled through centralized management tools. Browser security settings should be hardened to limit permissions granted to extensions, and users should be trained to recognize suspicious behavior, such as unexpected prompts for additional permissions or unusual browser performance.
Google Patches Android Zero-Days Exploited in Targeted Attacks
Summary: Google’s December 2025 Android security bulletin addresses two high-severity zero-day vulnerabilities that were actively exploited in targeted attacks. One flaw allows privilege escalation in the Android Framework, while the other enables remote code execution, giving attackers deep access to affected devices before patches were available.
Privilege Escalation in Android Framework
The first zero-day, rated high severity, resides in the Android Framework and allows a local attacker to escalate privileges from a regular app context to a higher-privileged system process. The vulnerability is triggered when processing certain inter-process communication (IPC) messages or binder transactions, where improper validation of input data leads to memory corruption.
An attacker can exploit this flaw by crafting a malicious app that sends specially structured IPC messages to a system service. Successful exploitation can result in arbitrary code execution with elevated privileges, potentially allowing access to sensitive system data, modification of system settings, or installation of persistent malware. The flaw is particularly dangerous on devices where users install apps from third-party sources or where enterprise mobility management policies are not strictly enforced.
Remote Code Execution Vulnerability
The second zero-day is a remote code execution flaw that can be triggered through a specially crafted file, message, or network packet. The exact component varies by device and Android version, but the underlying issue is typically related to improper parsing of structured data such as images, documents, or network protocols.
Attackers can exploit this vulnerability by sending a malicious file via messaging apps, email, or by hosting it on a compromised website. Once the file is processed by the affected component, the attacker gains the ability to execute arbitrary code on the device. In targeted attacks, this is often combined with other exploits to bypass sandboxing and achieve persistence.
Attack Patterns and Victim Profiles
These vulnerabilities have been used in targeted attacks against specific individuals, including journalists, activists, and corporate executives. The attacks often begin with a spear-phishing message containing a malicious attachment or link, which, when opened, triggers the exploit chain.
Google has not yet disclosed full details of the victim profiles or the specific threat actors involved, but the pattern is consistent with previous zero-day campaigns that leverage multiple vulnerabilities in sequence to achieve full device compromise. The use of zero-days in targeted attacks suggests that the affected devices are of high value to the attackers, and the window of exposure before patching is critical.
Enterprise and User Mitigation
Organizations with mobile device management (MDM) solutions should ensure that all Android devices are updated to the latest security patch level as soon as possible. For devices that cannot be immediately patched, administrators should enforce strict app installation policies, disable sideloading, and restrict access to sensitive corporate resources from unpatched devices.
Users should be advised to avoid opening suspicious files or links, especially from unknown senders, and to keep their devices updated. Enterprises should also consider implementing mobile threat defense solutions that can detect and block exploit attempts, even on unpatched devices, and should monitor for indicators of compromise such as unusual network traffic or unexpected app behavior.
Cloudflare Mitigates Record 29.7 Tbps Aisuru DDoS Attack
Summary: Cloudflare has mitigated the largest distributed denial-of-service (DDoS) attack ever recorded, peaking at 29.7 terabits per second and 14.1 billion packets per second. The attack was launched by the Aisuru botnet, a DDoS-for-hire service that leverages a large network of compromised IoT devices to deliver hyper-volumetric attacks against targets in IT, telecommunications, gambling, and other sectors.
Attack Characteristics and Scale
The Aisuru attack reached a peak volume of 29.7 Tbps, significantly surpassing previous records. The attack was primarily volumetric, consisting of a massive flood of UDP and other protocol-based packets designed to saturate the target’s bandwidth and overwhelm network infrastructure.
The packet rate of 14.1 billion packets per second indicates a highly distributed and coordinated botnet, capable of generating traffic from millions of sources simultaneously. The attack targeted multiple Cloudflare customers across different industries, with a focus on organizations in information technology, telecommunications, and online gambling, which are frequent targets of DDoS extortion campaigns.
Botnet Composition and DDoS-for-Hire Model
Aisuru is estimated to control between 1 and 4 million compromised IoT devices, including routers, cameras, and other embedded systems with weak security configurations. The botnet is offered as a DDoS-for-hire service, allowing even low-skill attackers to rent massive attack capacity for relatively small amounts of cryptocurrency.
This model lowers the barrier to entry for DDoS attacks, enabling a wide range of actors, from script kiddies to organized crime groups, to launch large-scale attacks. The service often includes features such as attack duration selection, target IP specification, and real-time attack statistics, making it accessible and user-friendly for malicious actors.
Technical Mitigation and Defense Strategies
Cloudflare’s automated DDoS mitigation systems were able to absorb and filter the attack traffic without service disruption to customers. The mitigation relies on a globally distributed network of scrubbing centers, real-time traffic analysis, and machine learning models that distinguish between legitimate and malicious traffic patterns.
For organizations not using a large-scale DDoS protection provider, defending against such volumetric attacks is extremely challenging. Traditional on-premises firewalls and intrusion prevention systems are quickly overwhelmed by traffic volumes in the terabit range. Enterprises should therefore adopt a cloud-based, always-on DDoS protection service that can scale to absorb large attacks and provide automated mitigation without manual intervention.
Enterprise Preparedness and Response
Organizations should treat hyper-volumetric DDoS attacks as a realistic threat and ensure that their DDoS protection strategy is proactive rather than reactive. This includes subscribing to a reputable DDoS mitigation service, configuring DNS and routing to route traffic through the provider’s scrubbing centers, and regularly testing incident response plans for DDoS scenarios.
Additionally, enterprises should secure their own internet-facing infrastructure to prevent it from being recruited into botnets. This includes changing default credentials on IoT devices, applying firmware updates, disabling unnecessary services, and segmenting networks to limit the blast radius of compromised devices. Regular security assessments and penetration testing should include DDoS resilience as a key component.
BRICKSTORM: Golang Backdoor Used in Long-Term VMware and Windows Campaigns
Summary: A state-sponsored threat actor from the People’s Republic of China has been observed using a Golang-based backdoor named BRICKSTORM to maintain long-term persistence in VMware vSphere and Windows environments. The malware, often delivered via social engineering, enables data theft, lateral movement, and persistence across compromised networks, with a particular focus on financial institutions in Latin America.
Malware Architecture and Capabilities
BRICKSTORM is a modular backdoor written in Go, compiled for Windows and Linux, and designed to operate in both VMware vSphere and traditional Windows environments. The malware is typically delivered as a malicious ZIP file or installer, often sent via email from a compromised trusted contact, and executed through social engineering.
Once executed, BRICKSTORM establishes persistence through multiple mechanisms, including registry modifications, scheduled tasks, and service creation. It communicates with command-and-control servers using encrypted channels and supports a range of commands, including file upload/download, command execution, process manipulation, and desktop monitoring.
Attack Lifecycle and Lateral Movement
The attackers have demonstrated a long dwell time, with one victim environment compromised from April 2024 to September 2025. Initial access is typically gained through phishing emails containing malicious attachments or links, which deliver BRICKSTORM or a related payload such as Sorvepotel.
After initial compromise, the attackers focus on credential harvesting, privilege escalation, and lateral movement. They target vCenter servers, domain controllers, and ADFS servers to steal cryptographic keys and move laterally across the network. The use of AI tools and large language models to convert PowerShell scripts into more robust Python code has improved their automation, error handling, and evasion capabilities.
Targeting and Impact on Financial Sector
The campaign has a strong focus on banks and fintech companies in Latin America, where attackers use social engineering and AI-assisted malware to bypass traditional defenses. The stolen data includes sensitive financial information, customer data, and internal operational details, which can be used for fraud, espionage, or further attacks.
The long-term persistence and deep access to critical infrastructure components such as vCenter and ADFS make this campaign particularly dangerous. Organizations in the financial sector should assume that similar actors are actively targeting them and should implement defense-in-depth strategies that include strong identity and access management, network segmentation, and continuous monitoring for anomalous behavior.
Defensive Measures and Detection
Organizations should implement strict email filtering and user training to reduce the risk of phishing-based initial access. Endpoint detection and response solutions should be configured to detect suspicious process behavior, such as unusual child processes, command-line arguments, and network connections from VMware and Windows management tools.
Network segmentation should isolate critical systems such as vCenter, domain controllers, and ADFS servers, and access to these systems should be tightly controlled and logged. Regular audits of user accounts, service accounts, and privileged access should be conducted, and multi-factor authentication should be enforced for all administrative accounts. Threat hunting efforts should focus on identifying signs of BRICKSTORM or similar Golang-based backdoors in network traffic and endpoint telemetry.