If you use Windows, you've probably seen the update notification pop up over the last day or so. Don't ignore it. Microsoft just released its final security update of 2025, and it patches 56 security holes.. One of the vulnerabilities is already being exploited in the wild, and two others were publicly known before Microsoft could patch them. That's not great, because it means your system could be at risk.
The One That's Already Being Exploited
The actively exploited flaw affects something called the Windows Cloud Files Mini Filter Driver (CVE-2025-62221). It’s basically a core Windows component that cloud storage services like Microsoft OneDrive, Google Drive, Dropbox, and Apple iCloud use. Even if you don't have any of those services, this component is still on your PC.
Here's what makes it dangerous: If a hacker can get even basic access to your computer through something like a phishing email or a sketchy website, they can use this flaw to take complete control of your system. It's like going from having a key to one room in a building to suddenly having the master key that opens everything.
Read more: Urgent Android Update Targets Active Exploits
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is taking it seriously enough that they've ordered all federal agencies to patch by December 30.
Two Other Nasty Bugs
Microsoft also fixed two other security holes that were already public knowledge before patches became available:
A PowerShell vulnerability (CVE-2025-54100): This one lets attackers trick you into running a malicious PowerShell command, which allows you to basically make any change to Windows with a command. If you've ever copied and pasted commands from the internet into PowerShell or Command Prompt (maybe to fix something), this is the kind of thing that could bite you. A malicious website could hide executable code in its pages that runs automatically when PowerShell retrieves them. The command looks innocent but actually runs malware in the background.
A bug in GitHub Copilot (CVE-2025-64671): This affects developers using the GitHub Copilot coding assistant with the JetBrains plugin. Attackers can manipulate the AI into running commands that bypass security protections. If you're not a developer, this one doesn't affect you directly, but it's part of a larger issue with AI tools that's worth being aware of.
In total, Microsoft patched 1,275 security flaws this year. That's the second year in a row they've crossed the 1,000-bug threshold, which gives you a sense of how complex Windows has become.
Read more: How to Stop Cookie Jacking and Keep Hackers Out of Your Accounts
How to Get the Update
Windows usually installs security updates automatically, but you can force it to check right now to get patched faster.
Here's how:
- Open Settings (press Windows key + I key).
- Click "Windows Update".
- Click "Check for updates".
- Install whatever shows up and restart when Windows asks you to.
The update can take a while to install, sometimes 30 minutes or more. So, it might be a good time to take a walk or a lunch break.
Bottom Line
This isn't one of those Windows updates you should skip and forget about. Hackers were already actively exploiting one of these flaws, and it's one that affects every Windows user and reason enough to do the update. Two others were publicly known before patches existed. One affects only a subset of users, but the other can affect anyone who clicks a bad link or mis-types a web address. As such, you're leaving yourself at risk if you put this off. The good news is that Windows Update usually handles this automatically, but it's worth manually checking to make sure the patch gets installed sooner rather than later.
[Image credits: Microsoft, Composited by Palash Volvoikar/Techlicious]
