Microsoft’s Patch Tuesday October 2025 included fixes for 175 vulnerabilities, including three exploited zero-days and 13 additional high-risk vulnerabilities.
The three zero-days under attack were quickly added to CISA’s Known Exploited Vulnerabilities (KEV) database.
One of those vulnerabilities is CVE-2025-59230, a 7.8-severity Elevation of Privilege vulnerability in Windows Remote Access Connection Manager. Microsoft notes that “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”
Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) were credited with the vulnerability discovery.
The second zero-day added to CISA KEV is CVE-2025-24990, a 7.8-rated Elevation of Privilege vulnerability in Windows Agere Modem Driver, a third-party driver that ships natively with supported Windows operating systems. The ltmdm64.sys driver has been removed in the October cumulative update.
“Fax modem hardware dependent on this specific driver will no longer work on Windows,” Microsoft noted, adding that users should remove “any existing dependencies on this hardware.”
CVE-2025-47827, a 4.6-rated Secure Boot bypass in IGEL OS before 11, was also labeled “exploitation detected” by Microsoft and added to the CISA KEV database.
The October 2025 update is also the last for Windows 10, which has reached end-of-life and is no longer supported.
Other vendors issuing Patch Tuesday fixes today include Ivanti, Adobe, Fortinet, Veeam and SAP. The SAP updates include two maximum-severity SAP NetWeaver fixes.
Patch Tuesday October 2025: Two 9.8 Vulnerabilities
The 13 Microsoft vulnerabilities labeled “exploitation more likely” included two 9.8-severity vulnerabilities.
CVE-2025-59287 is a 9.8-rated Remote Code Execution vulnerability in Windows Server Update Service (WSUS).
“Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network,” Microsoft said. “A remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism, resulting in remote code execution.”
The attack complexity is low and it requires no privileges or user interaction. Microsoft acknowledged “MEOW” for the contribution, with no other identifying information
CVE-2025-59246 is a 9.8-rated Azure Entra ID Elevation of Privilege vulnerability that requires no customer action to resolve, Microsoft credited Dylan Ryan-Zilavy for the find.
Other High-risk Vulnerabilities
The other 11 Microsoft vulnerabilities at elevated risk of exploitation include:
CVE-2025-24052, a 7.8-rated Windows Agere Modem Driver Elevation of Privilege vulnerability
CVE-2025-59199, a 7.8-severity Software Protection Platform (SPP) Elevation of Privilege vulnerability. “Improper access control in Software Protection Platform (SPP) allows an authorized attacker to elevate privileges locally,” Microsoft noted.
CVE-2025-58722, a 7.8-rated Microsoft DWM Core Library Elevation of Privilege vulnerability. The heap-based buffer overflow vulnerability could allow an authorized attacker to elevate privileges locally.
CVE-2025-55694, a 7.8-severity Windows Error Reporting Service Elevation of Privilege vulnerability involving improper access control, which could allow an authorized attacker to elevate privileges locally.
CVE-2025-55692, a 7.8-rated Windows Error Reporting Service Elevation of Privilege vulnerability involving improper input validation, which could allow an authorized attacker to elevate privileges locally.
CVE-2025-55680, a 7.8-severity Windows Cloud Files Mini Filter Driver Elevation of Privilege vulnerability. A time-of-check time-of-use (TOCTOU) race condition could allow an authorized attacker to elevate privileges locally.
CVE-2025-59194, a 7.0-rated Windows Kernel Elevation of Privilege vulnerability. Use of an uninitialized resource in the Windows Kernel could allow an authorized attacker to elevate privileges locally.
CVE-2025-59502, a 7.5-severity Remote Procedure Call Denial of Service vulnerability. Uncontrolled resource consumption in Windows Remote Procedure Call could allow an unauthorized attacker to deny service over a network.
CVE-2025-55693, a 7.4-rated Elevation of Privilege/Use After Free vulnerability in Windows Kernel could allow an unauthorized attacker to elevate privileges locally.
CVE-2025-48004, a 7.4-severity Elevation of Privilege/Use After Free vulnerability in the Microsoft Brokering File System could allow an unauthorized attacker to elevate privileges locally.
CVE-2025-55681, a 7.0-rated Desktop Windows Manager (DWM) Elevation of Privilege/ Out-of-Bounds Read vulnerability could allow an authorized attacker to elevate privileges locally.
