Plus critical critical Notepad++, Ivanti, and Fortinet updates, and one of these patches an under-attack security hole

Happy December Patch Tuesday to all who celebrate. This month's patch party includes one Microsoft flaw under exploitation, plus two others listed as publicly known – but just 57 CVEs in total from Redmond.

There's also a fix for a critical Notepad++ bug that, according to security sleuth Kevin Beaumont, is being abused by attackers in China.

Plus, software security vendors Ivanti and Fortinet both issued patches for critical security holes in their products, so those two should be high on sys-admins' and security teams' list of things to do today.

Microsoft patches

Let’s start our look at Microsoft's relatively quiet final patch-a-thon for 2025 by considering CVE-2025-62221, a 7.8-CVSS-rated Windows Cloud Files Mini Filter Driver vulnerability that allows an authorized attacker to elevate privileges locally.

This one was exploited as a zero-day, according to Redmond, and while we don't yet know who is abusing ...