Important: If your current farm patch level is September 2025 CU, remove the NT Authoritysystem account from WSS_WPG and IIS_IUSRS local security groups of the SharePoint machines – otherwise installing the SharePoint fixes will fail.
For more details check this article: Trending Issue: SharePoint fixes fail to install after installation of September 2025 CU
Below are the security fixes for the SharePoint OnPrem versions released this month.
SharePoint Server 2016:
- KB 5002821 – SharePoint Server 2016 (language independent)
- KB 5002804 – SharePoint Server 2016 (language dependent)
Microsoft Support recommends to install the complete December 2025 CU for SharePoint 2016 rather than individual security fixes.
SharePoint Server 2019:
- KB 5002816 – SharePoint Server 2019 (language independent)
- KB 5002802 – SharePoint Server 2019 (language dependent)
Microsoft Support recommends to install the complete December 2025 CU for SharePoint 2019 rather than individual security fixes.
SharePoint Server Subscription Edition:
- KB 5002815 – SharePoint Server Subscription Edition
This security fix is identical with December 2025 CU for SharePoint Server Subscription Edition.
Office Online Server:
- KB 5002817 – Office Online Server
More information:
Please ensure to have a look at the SharePoint Patching Best Practices before applying new fixes.
Security Vulnerabilities fixed in this PU
| Vulnerability | SP 2016 | SP 2019 | SP SE | OOS | Impact | Max Severity |
|---|---|---|---|---|---|---|
| CVE-2025-62555 | x | x | Remote Code Execution | Important | ||
| CVE-2025-62556 | x | Remote Code Execution | Important | |||
| CVE-2025-62558 | x | x | Remote Code Execution | Important | ||
| CVE-2025-62559 | x | x | Remote Code Execution | Important | ||
| CVE-2025-62560 | x | Remote Code Execution | Important | |||
| CVE-2025-62561 | x | Remote Code Execution | Important | |||
| CVE-2025-62562 | x | x | Remote Code Execution | Important | ||
| CVE-2025-62563 | x | Remote Code Execution | Important | |||
| CVE-2025-62564 | x | Remote Code Execution | Important | |||
| CVE-2025-64672 | x | Spoofing | Important |
See the Security Update Guide below for more details about the relevant fixes:
Permalink
Hi Stefan, thanks for this post regarding December 2025 PU. Especially the CVE summary is very useful! In the official “Notification – Microsoft Security Update Release for December 2025” the severity for Sharepoint is marked as “Critical”. In your summary all the CVE’s have max severity “Important”. Why there is this (in my opinion) mismatch?
Permalink
Hi Reto,
CVE-2025-62562 for SP2016 was first incorrectly marked as critical – this has been corrected meanwhile.
I assume this is the reason for the notification.
If you check the individual CVE articles you can see that all of them are “Important”.
Cheers,
Stefan
Permalink
Wow, thanks for quick reply and clarification.
Permalink
Hi Stefan, is there a SharePoint Workflow Manager or Workflow Manager Client Update for December 2025?
Permalink
Hi David, no – November CU is the most recent one.
Cheers,
Stefan
Permalink
Subscription Edition
Anyone getting “unable to create a service connection point in the current active directory domain”
error when running psconfig on this December 2025 PU