![\"Microsoft](\"https:\/\/www.europesays.com\/ie\/wp-content\/uploads\/2025\/12\/1765724772_863_0x0.jpg\")
<\/p>\n<\/p>\n
Microsoft confirmed 41 zero-day vulnerabilities during 2025<\/p>\n
Getty Images<\/p>\n
It has only been a matter of days since the U.S. Cybersecurity and Infrastructure Security Agency confirmed that Windows users were under attack from two zero-day exploits and urged federal users to update immediately. Here\u2019s the thing, though, as a new report revealed a total of 41 Microsoft zero-day vulnerabilities across 2025 that had been addressed in Patch Tuesday rollouts, others remain unpatched at the time of writing. Yes, you read that right. So, millions of Microsoft users have a security update choice to make: Is relying upon Patch Tuesday enough?<\/p>\n
ForbesMicrosoft Worm Attack Warning \u2014 Act Rapidly And Change Passwords NowBy Davey Winder<\/a>Microsoft Patched 41 Zero-Days \u2014 But It\u2019s Not Good Enough<\/p>\n A new Tenable report<\/a> has confirmed that Microsoft detailed and addressed more than 1,100 vulnerabilities during 2025 Patch Tuesday rollouts. That number included a total of 41 zero-day vulnerabilities. Of these, 24 were known to have been exploited in the wild at the time of the updates. Microsoft distinguishes<\/a> between vulnerabilities that have been disclosed before a fix is available and those that have already been exploited, using the terms zero-day vulnerability and zero-day exploit.<\/p>\n However you define them, zero-days are never to be ignored. The stakes are, frankly, much too high. That goes for consumers and enterprises alike, as data of all denominations is valuable to cybercriminal hackers. When America\u2019s Cyber Defense Agency confirmed<\/a> that not only was the CVE-2025-62221 Windows cloud files mini-filter driver escalation-of-privilege vulnerability being actively exploited, but also CVE-2025-6218, a WinRAR issue that only impacts Windows users and was patched in July, it served to highlight both the seriousness and problems of patching zero-days. The December Patch Tuesday rollout fixed the first, but Windows users were not protected from the second unless they updated the application itself.<\/p>\n OK, so you might say that\u2019s a bit of a stretch, Microsoft cannot be expected to address security issues in third-party applications. But what about its own zero-days that are left unpatched by official updates for far too long? Security researchers have just revealed that, while analyzing an already patched Windows Remote Access Connection Manager privilege escalation vulnerability, CVE-2025-59230, a new zero-day emerged<\/a>. The original vulnerability was patched by Microsoft in October, while a company spokesperson told me that the latest one would be addressed by \u201ca future fix.\u201d<\/p>\n And that, dear reader, is where your decision comes to the fore. Do you wait for Microsoft<\/a> to release a zero-day patch, whether that is by way of an out-of-band update, not a scheduled Patch Tuesday release, in other words, or do you make the choice to proactively protect your networks, devices and data by using an alternative patching service?<\/p>\n ForbesMicrosoft Silently Activates Critical Windows Security UpdateBy Davey Winder<\/a>Microsoft Users Must Now Decide If Patch Tuesday Is Protection Enough<\/p>\n The Windows RasMan zero-day I just mentioned is a great example to use when it comes to the patching choice facing Microsoft users. Are you happy to leave it in Microsoft\u2019s hands and wait until it eventually drops a patch, or should you get proactive and patch it now? The latter is certainly possible, and for many otherwise exposed users it could be considered a must. You can read the report on that zero-day in an analysis<\/a> published by the co-founder of the 0patch service, Mitja Kolsek. And it\u2019s this service that provides the alternative, or rather an accompanying, solution to the zero-day patching problem.<\/p>\n