Threat intel · 5 MIN READ · BEN NAHORNEY AND MATT JASTRAM · DEC 10, 2025 · TAGS: vulnerability prioritization
TL;DR
- December’s Patch Tuesday includes 57 CVEs, with one actively exploited zero-day vulnerability (CVE-2025-62221) that allows privilege escalation to SYSTEM and has been added to CISA’s KEV catalog.
- Two additional publicly disclosed zero-days affect GitHub Copilot (CVE-2025-64671) and PowerShell (CVE-2025-54100), both enabling code execution and requiring immediate patching.
- EPSS scores experienced massive volatility in late November with nearly 5,000 CVEs seeing score changes of +10% or more over a two day period, demonstrating the importance of monitoring exploit likelihood alongside traditional exploitation evidence.
As we wrap up 2025, December’s Patch Tuesday has arrived. With many teams preparing for holiday schedules, it’s important to address critical vulnerabilities before everyone winds down for the year. So while you’re making your (patching) list and checking it twice, here are the CVEs we think deserve prioritization.
Patch Tuesday: December 9, 2025
This month’s release includes 57 CVEs, including three zero-day vulnerabilities, one of which is actively being exploited in the wild. There are also three Critical remote code execution (RCE) vulnerabilities in this batch.
- Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability (CVE-2025-62221): This use-after-free (UAF) vulnerability has been actively exploited in the wild. The flaw resides in the Windows Cloud Files Mini Filter Driver (cldflt.sys), used by OneDrive and other cloud sync clients. This driver runs at the kernel level with SYSTEM privileges, making UAF vulnerabilities particularly concerning. An attacker with low-level privilege can leverage this vulnerability to escalate their permissions to SYSTEM, gaining control of the vulnerable system. This vulnerability has a CVSS score of 7.8 and has been added to the Known Exploited Vulnerability (KEV) catalog.
- GitHub Copilot for Jetbrains Remote Code Execution Vulnerability (CVE-2025-64671): This is a publicly disclosed vulnerability dubbed “IDEsaster” by security research Ari Marzuk who discovered it. It impacts developers using GitHub Copilot with the JetBrains IDE, taking advantage of a feature that allows certain commands to be executed without prompting the user each time. In an attack, a bad actor could append unapproved commands onto an auto-approved command, resulting in automatic execution on the local system.
- PowerShell Remote Code Execution Vulnerability (CVE-2025-54100): This vulnerability affects PowerShell’s handling of web content. When PowerShell fetches a webpage that contains an embedded script, it may inadvertently execute that code rather than just retrieve it. In such a case, that code will be executed with the same permissions as the user that ran the PowerShell command. Microsoft hasn’t patched this per-se, but has added a warning to the user, recommending they use basic parsing to avoid inadvertent execution. We ourselves recommend restricting which users can use PowerShell. Many of today’s attacks trick users into executing PowerShell, and it’s best to cut off that avenue of exploitation by principle of least privilege (PoLP).
- Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability (CVE-2025-64678): This vulnerability in the Routing and Remote Access Service (RASS) is particularly concerning since this service is often involved with handling VPN traffic, and sits at the network perimeter. This is a heap-based buffer overflow, where an attacker can send specially crafted packets that, when picked up by RRAS, overwrite adjacent memory due to improper validation. This could allow a threat actor to hijack control flow, and potentially run arbitrary code through the RRAS process, which runs as SYSTEM.
The winds of change: EPSS November score fluctuations and vulnerability exploit risk factors
As many geared up for Thanksgiving weekend, Exploit Prediction Scoring System (EPSS) was extremely busy identifying thousands of CVEs with a +10% or more higher risk score increase! EPSS is a data-driven effort for estimating the likelihood (probability) that a vulnerability will be exploited in the wild in the next 30 days. The higher the score, the more likely a threat actor will leverage it. Many vulnerability scanning technologies have adopted the EPSS scoring trained model, and the integrations are in their user interfaces. The EPSS model is used to leverage current CVE threat information and a mix of real-world exploit data factors.
The question is, why was there a significant EPSS score volatility on these two dates in November? There was’nt an EPSS public statement. However, one could theorize EPSS scores were recalibrated with a combination of multiple exploitation events and critical intelligence feeds to ultimately normalize scores for their individual CVE model.
The ultimate goal of EPSS usage is to demonstrate exploit risk factors and highlight critical threats to help responsible IT teams prioritize vulnerability remediation.
So, how many EPSS score fluctuations of +10% or more did we see in late November? Well, on November 18 there were 2,677, and then on November 21 there were another 2,155. The total CVE model impacted a total of 4,832 scores. There were a few patterns (listed below), but the November 21 data changes actually recalibrated some of the original November 18 changes. In some cases, large fluctuations were reversed to ensure actual scores were more accurate. Still, 4,832 changes are challenging to keep up with, but the shift demonstrated many vulnerabilities should be prioritized with more urgency. Overall, the EPSS score fluctuations, combined with evidence of exploitation risk in the wild, continue to demonstrate the risk factors needed to drive vulnerability remediation action.
Below are some highlighted EPSS scoring trends for these two days, and some trends we’ve noticed over the last couple of months.
| Date of changes | Total number of increased EPSS scores of +10% or more | Notable data points |
|---|---|---|
| 2025-11-21 | 2,155 |
|
| 2025-11-18 | 2,677 |
|
| November 2025 | 5,502 |
|
| October 2025 | 1,508 |
|
| April 2025 to October 2025 | 3,005 |
|
| 2025-03-17 | 10,973 |
|
Since thousands of changes occurred over the two-day period, we reviewed some of the major ‘high’ scores (85%-94%) in the table below. The table is built using risk factors, which help us identify and prioritize vulnerability remediation.
| Vendor impacts | Vulnerability | CVE | New EPSS score | Old EPSS score | GreyNoise (malicious actor IPs) | CISA KEV | PoCs | In-the-wild exploits | |
|---|---|---|---|---|---|---|---|---|---|
|
1 |
Google libwebp | Out-of-bounds memory via a crafted HTML | CVE-2023-4863 | 94.17% | 80.52% | 0 IPs | Yes | 3 | Yes |
|
2 |
Hoverfly | Attacker to read arbitrary files | CVE-2024-45388 | 93.59% | 82.06% | 21 IPs | No | 1 | Yes |
|
3 |
ChatGPT-Next-Web | Exposure of sensitive information | CVE-2021-33558 | 93.38% | 75.08% | 0 IPs | No | 2 | No |
|
4 |
VMware vCenter | Remote code execution | CVE-2023-34048 | 93.02% | 78.37% | 35 IPs | Yes | 1 | Yes |
|
5 |
Next.js Middleware | Authentication bypass | CVE-2025-29927 | 92.95% | 82.78% | 0 IPs | No | 4 | Yes |
|
6 |
RARLAB WinRAR | Arbitrary code execution | CVE-2023-40477 | 92.80% | 23.37% | 0 IPs | No | 2 | Yes |
|
7 |
Apple, Devian, Netapp, & zlib | Buffer overflow | CVE-2022-37434 | 92.68% | 27.76% | 0 IPs | No | 4 | No |
|
8 |
Openssl Denial of Service | Denial of service (DoS) | CVE-2023-2650 | 92.02% | 25.52% | 27 IPs | No | 1 | No |
|
9 |
Vmware | Direct traversal attack | CVE-2019-3799 | 91.32% | 20.32% | 0 IPs | No | 3 | No |
|
10 |
Windows TCP/IP | Remote code execution | CVE-2024-38063 | 90.35% | 74.40% | 0 IPs | No | 4 | Yes |
|
11 |
Apple iOS | Arbitrary code execution | CVE-2023-41064 | 89.61% | 20.10% | 0 IPs | Yes | 1 | Yes |
|
12 |
Node.js llhttp Parser | HTTP request smuggling (HRS) | CVE-2022-32213 | 89.07% | 2.28% | 0 IPs | No | 1 | Yes |
|
13 |
Veeam | Remote code execution | CVE-2024-40711 | 88.55% | 74.36% | 0 IPs | Yes | 1 | Yes |
|
14 |
Node.js llhttp Parser | HTTP request smuggling (HRS) | CVE-2022-32215 | 88.11% | 1.69% | 0 IPs | No | 1 | Yes |
|
15 |
Debian & Freetype | Arbitrary code execution | CVE-2025-27363 | 87.67% | 74.78% | 0 IPs | Yes | 2 | Yes |
|
16 |
PHP PHAR | XSS (cross-site scripting) | CVE-2018-5712 | 87.61% | 10.87% | 0 IPs | No | 1 | No |
|
17 |
Windows TCP/IP | Remote code execution | CVE-2020-16898 | 86.78% | 32.35% | 0 IPs | No | 4 | No |
|
18 |
VMware vCenter | Remote code execution | CVE-2024-38812 | 85.80% | 75.07% | 0 IPs | Yes | 1 | Yes |
Note: The EPSS scores are regularly fluctuating. Some may have even changed since the time of our analysis.
Identifying exploit risk factors and taking action on vulnerability remediation demonstrates maturity in your company’s vulnerability management program. It’s critical to monitor exploit risk factors to ensure you’re addressing exploit risk before threat actors do. Please reach out if you have any questions or would like to discuss simple practices to address vulnerability exploit risk in your infrastructure.
