Microsoft Patch Tuesday

https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20December%202025/32550

https://helpx.adobe.com/security.html

https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024?language=en_US

https://fortiguard.fortinet.com/psirt/FG-IR-25-647

https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3

SANS Stormcast – Wednesday, December 10 2025

Microsoft, Adobe, Ivanti, Fortinet, and Ruby patches

Handler on Duty: Guy Bruneau

---

Microsoft Patch Tuesday

Microsoft released its regular monthly patch on Tuesday, addressing 57 flaws. Only three of these were rated critical. Highlights:

• A privilege‑escalation vulnerability in the Microsoft Cloud Files Mini‑filters driver is already being exploited.

• Two publicly disclosed, not‑yet‑exploited issues:

  • Invoke‑WebRequest PowerShell function – a warning is now shown when the -UseBasicParsing parameter is omitted, to prevent accidental code execution.

  • AI co‑pilot integrations (e.g., GitHub Copilot for JetBrains) – additional constraints added to limit potential malicious code execution.

The critical vulnerabilities this month are in Office and Outlook.

---

Adobe Patches

Adobe issued updates for five products (a lighter release). Two products are of particular interest:

• ColdFusion – an arbitrary code execution vulnerability via an unconstrained file upload (potential web‑shell upload).

• Acrobat Reader – code‑execution flaws typically exploited by malicious PDFs.

---

Ivanti Endpoint Manager Patches

Ivanti released patches for four vulnerabilities in Endpoint Manager. Notable:

• Stored cross‑site scripting in admin sessions (CVSS 9.6) – could allow an attacker to hijack an administrator’s browser during an admin session.

---

Fortinet FortiCloud SSO Vulnerability

A cryptographic issue in FortiCloud single‑sign‑on authentication allows authentication bypass across all products configured with FortiCloud. Mitigation: disable FortiCloud SSO until the device is updated.

---

ruby‑saml Vulnerability

The Ruby SAML library received a fix for a parser discrepancy issue where different XML parsers interpret data inconsistently, leading to potential security problems. This patch completes the remediation of a similar vulnerability addressed a few months earlier.

---

Podcast Transcript

Hello and welcome to the Wednesday, December 10th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Bachelor's Degree Program in Applied Cybersecurity.



Well, today, of course, lots of patches to talk about. And first of all, Microsoft's Patch Tuesday for December. It was a lighter patch Tuesday, only 57 vulnerabilities being addressed here. Only three of these vulnerabilities were rated as critical. And then we had one vulnerability that's already being exploited and two that are publicly disclosed.



Now, about the already being exploited vulnerability, that is a privilege escalation vulnerability in the Microsoft Cloud Files Mini filters driver, some of those driver issues. And yes, that's already being exploited. But again, only a privilege escalation vulnerability.



The publicly known but not yet exploited vulnerabilities. Well, actually, the first one, invoke web request, the PowerShell function that's often used maliciously, but of course, also in benign scripts. The problem here is that by default, you may actually execute code here. So there is this use basic parsing parameter. And what they changed here was that if you just use invoke web request, you'll actually get a warning telling you that you are here at the risk of actually executing code unless you add the use basic parsing parameter. So really just clarified how to use this particular PowerShell function.



And then the second already known vulnerability. It's a really sort of a class of vulnerabilities that we have seen, of course, quite frequently lately. And that's all these AI co‑pilots. As you let them take over your IDE, your development environment, you, of course, run the risk that they'll overstep their bounds and will actually execute code. And of course, in some cases, an attacker may have some control over the code being executed here. And the GitHub co‑pilot plugin for JetBrains. So JetBrains is not Microsoft, but a company that makes a lot of integrated development environments. And then, of course, Microsoft is responsible for the co‑pilot part that plugs into JetBrains. And that's sort of where they added some additional constraints. We'll see how well they work to prevent some of these malicious code executions.



Now, none of these vulnerabilities is rated critical. The critical ones are in Office and Outlook. So your good old Outlook Office vulnerabilities we have every month. And with that, I don't really think that is a terribly exciting Patch Tuesday. Even like these three known and already exploited vulnerabilities aren't really that terribly big of a deal.



Next company to always release updates on Patch Tuesday is Adobe. And we got updates for five products, which is on the lighter side for Adobe. But two of these products are sort of on my watch list of likely to be exploited products. One ColdFusion. And we do have a big vulnerability here. An arbitrary code execution due to an unconstrained file upload. So very likely something where an attacker could upload some kind of web shell.



The second product, Acrobat Reader. Also some code execution vulnerabilities being addressed here. And then again, that's typically being exploited by sending a malicious PDF to the victim.



And Avanti also jumped in here on Patch Tuesday. This time again with an update for Endpoint Manager. One interesting vulnerability here. Stored cross‑site scripting in admin sessions. And this one rates with a CVSS score of 9.6. Certainly something where an attacker could do quite a bit of damage if they can essentially remote control an administrator's browser as part of an admin session.



Fortinet is warning of an authentication bypass vulnerability that affects its FortiCloud single sign‑on login. This affects all products that are configured with FortiCloud. The mitigation here is, well, to turn it off until you update your device. Looks like some kind of cryptographic issue. Maybe algorithm confusion or something like that. And that's very common in these single sign‑on systems if they haven't been validated properly or if they're using some outdated library, which often leads to these types of vulnerabilities.



And I have no idea if Fortinet's software is written in Ruby. But we also had a patch today for the Ruby SAML library. Apparently, this is sort of one of those parser discrepancy issues where different XML parsers interpret data slightly differently. That often leads to vulnerabilities where, for example, username or claims aren't parsed properly or are parsed differently in different parsers. They had a similar vulnerability a couple of months ago and didn't completely fix it. So this is really just an additional fix for that older vulnerability to hopefully this time completely mitigate it.



Well, and this is it for today. Thanks for listening. I would really appreciate a comment in the Apple Podcasts app. And that's it for today. Talk to you again tomorrow. Bye.

---

End of article.