October 2025 Patch Tuesday: Microsoft Addresses 175 Vulnerabilities, Including 3 Exploited Zero-Days

[Update] CVE-2025-59287 Added to CISA KEV After Confirmed Exploitation

Microsoft has rolled out its October 2025 Patch Tuesday updates, addressing 175 security vulnerabilities across its product portfolio. The release includes 3 zero-day vulnerabilities actively exploited in the wild, 3 others publicly disclosed, and several critical-severity issues that demand immediate attention.

This month’s breakdown shows how widespread the fixes are:

• 83 Elevation of Privilege (EoP)
• 30 Remote Code Execution (RCE)
• 26 Information Disclosure
• 14 Spoofing
• 11 Denial of Service (DoS)
• 10 Security Feature Bypass
• 1 Tampering
• 1 Cross-Site Scripting (XSS)

The October update cycle underscores Microsoft’s continued focus on closing privilege escalation and code execution gaps that attackers frequently target. With active exploits already observed, organizations should prioritize patching the most severe vulnerabilities before threat actors can capitalize on them.

Zero-Day Vulnerabilities Fixed in October 2025 Patch Tuesday

This month’s Patch Tuesday addresses three zero-day vulnerabilities exploited in the wild. Two affect core Windows components, while the third – though not directly tied to Microsoft software – was assigned by MITRE and impacts environments running Linux-based IGEL OS. Together, they represent some of the most urgent flaws to patch in this update cycle.

CVE-2025-24990 (CVSS 7.8) – Agere Modem Driver Privilege Escalation

This vulnerability exists in the legacy ltmdm64.sys Agere Modem driver, still bundled with supported Windows systems despite its age. The flaw allows a local attacker to gain administrative privileges through an untrusted pointer dereference. Microsoft has removed the vulnerable driver entirely in this update, effectively retiring the component.

This issue demonstrates how outdated drivers can remain a viable attack surface long after their primary use has ended.

CVE-2025-59230 (CVSS 7.8) – Remote Access Connection Manager Privilege Escalation

The second actively exploited zero-day lies in the Remote Access Connection Manager, where improper access control allows attackers to escalate privileges to SYSTEM level. Microsoft confirmed real-world exploitation before patch release.

Bugs like this are often chained with code execution vulnerabilities to achieve full system compromise, making immediate patching essential across all Windows environments.

CVE-2025-47827 (CVSS 4.6) – Secure Boot Bypass in IGEL OS

Although not a Microsoft-assigned CVE, this vulnerability is relevant due to its impact on WindowsSecure Boot mechanisms. Found in Linux-based IGEL OS before version 11, it stems from improper cryptographic signature verification within the igel-flash-driver module. Exploiting CVE-2025-47827, attackers could bypass Secure Boot protections, undermining system integrity.

According to reports, a Proof-of-Concept (PoC) exploit for CVE-2025-47827 has been public since May 2025, and researchers have observed attempts to weaponize it. Organizations running IGEL OS or hybrid Windows/Linux environments should treat this as a high-priority patch.

Publicly Disclosed Zero-Day Vulnerabilities

Beyond the three actively exploited zero-days, Microsoft has also patched three zero-day vulnerabilities that were publicly disclosed before today’s release. Although there’s no evidence of active exploitation, public availability of technical details makes them prime targets for future attacks.

• The first, CVE-2025-0033, affects AMD EPYC processors running Secure Encrypted Virtualization–Secure Nested Paging (SEV-SNP) and could allow a malicious or compromised hypervisor to alter protected memory mappings. Microsoft notes that fixes for Azure Confidential Computing clusters are still being developed.
• Another disclosure, CVE-2025-24052, involves the same Agere Modem driver seen in one of this month’s zero-days. While not yet exploited, it can still be abused for local privilege escalation – and since the vulnerable driver ships with all supported Windows versions, it remains a likely target going forward.
• Lastly, CVE-2025-2884 affects the TPM 2.0 reference implementation, where an out-of-bounds read in the CryptHmacSign function could leak cryptographic data. Devices relying on TPM modules for hardware-backed security should receive firmware-level patches from their vendors.

Administrators should treat these disclosures as high-risk pending issues – even without active exploitation reports, their public nature greatly increases exposure.

Gain Continuous Insight with SOCRadar Vulnerability Intelligence

Keeping pace with the growing number of disclosed vulnerabilities requires real-time visibility into what truly matters to your organization. SOCRadar’s Vulnerability Intelligence, part of its Cyber Threat Intelligence suite, empowers security teams to stay ahead of emerging threats through context-rich, up-to-date data on vulnerabilities and exploitation trends.

With SOCRadar, teams can:

• Filter and prioritize vulnerabilities by vendor, product, or severity to identify the most critical exposures.
• Assess exploit likelihood and correlate vulnerabilities with active threat campaigns.
• Track each vulnerability’s lifecycle, from disclosure to weaponization, enabling faster, data-driven remediation.

By integrating these insights into daily operations, organizations can shorten response times, strengthen patch management workflows, and maintain a proactive defense posture against newly emerging exploits.

Critical Vulnerabilities in the October 2025 Update

This month’s release includes a range of critical-severity flaws across Windows, Azure, Office, and other Microsoft components. Most of these can lead to remote code execution (RCE) or privilege escalation, and several carry CVSS scores above 9.0.

One of the most severe, CVE-2025-59287 (CVSS 9.8), is an RCE vulnerability in Windows Server Update Services (WSUS). It results from unsafe object deserialization in a legacy mechanism that allows an unauthenticated attacker to trigger code execution remotely.

ZDI warns that CVE-2025-59287 could be wormable between WSUS servers, making timely patching essential for any network relying on WSUS for update management.

Other high-impact vulnerabilities patched this month include:

• CVE-2025-49708 (CVSS 9.9) – Windows Graphics Component Remote Code Execution Vulnerability
• CVE-2025-59246 (CVSS 9.8) – Azure Entra ID Elevation of Privilege Vulnerability
• CVE-2025-59218 (CVSS 9.6) – Azure Entra ID Elevation of Privilege Vulnerability
• CVE-2025-59247 (CVSS 8.8) – Azure PlayFab Elevation of Privilege Vulnerability
• CVE-2025-59236 (CVSS 8.4) – Microsoft Excel Remote Code Execution Vulnerability
• CVE-2025-55321 (CVSS 8.7) – Azure Monitor Log Analytics Spoofing Vulnerability
• CVE-2025-59271 (CVSS 8.7) – Redis Enterprise Elevation of Privilege Vulnerability
• CVE-2025-59292 (CVSS 8.2) – Azure Compute Gallery Elevation of Privilege Vulnerability
• CVE-2025-59291 (CVSS 8.2) – Confidential Azure Container Instances Elevation of Privilege Vulnerability
• CVE-2025-59227 (CVSS 7.8) – Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-59234 (CVSS 7.8) – Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-59252 (CVSS 6.5) – M365 Copilot Spoofing Vulnerability
• CVE-2025-59272 (CVSS 6.5) – Copilot Spoofing Vulnerability
• CVE-2025-59286 (CVSS 6.5) – Copilot Spoofing Vulnerability

CVE-2025-59287 Added to CISA KEV After Confirmed Exploitation

CISA has added CVE-2025-59287 in Windows Server Update Services (WSUS), to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild. Federal agencies are required to apply mitigations by November 14, 2025.

The flaw affects Windows servers configured as WSUS upstream sources, allowing unauthenticated attackers to execute arbitrary code with SYSTEM privileges and potentially trigger wormable behavior between WSUS servers. Microsoft released out-of-band patches on October 23, covering Windows Server 2012 through 2025, and advised admins who cannot immediately patch to disable the WSUS Server role.

According to Huntress Labs, attackers have begun scanning and exploiting exposed WSUS instances, often through ports 8530 and 8531, to perform reconnaissance and harvest network data via PowerShell commands. Public Proof-of-Concept (PoC) exploit code is also available, increasing the likelihood of continued targeting.

Microsoft later confirmed an issue affecting Hotpatch-enrolled Windows Server 2025 devices after installing the initial emergency patch (KB5070881), which caused them to lose Hotpatch eligibility. In an updated advisory, the company recommended installing the corrected KB5070893 update, which fixes the flaw without breaking Hotpatching.

Organizations using WSUS should patch all affected servers immediately and restrict external access to WSUS management ports.

Vulnerabilities Rated More Likely to Be Exploited

Alongside this month’s critical patches, Microsoft has identified several vulnerabilities as “more likely to be exploited” in real-world attacks. These flaws span multiple Windows components and currently have no official workarounds, making timely patching essential to minimize risk.

A few vulnerabilities already mentioned earlier – such as CVE-2025-59246 (Azure Entra ID), CVE-2025-59287 (WSUS RCE), and CVE-2025-24052 (Agere Modem driver) – also fall into this higher-risk category.

Other vulnerabilities that Microsoft believes could soon be targeted include:

• CVE-2025-55680 (CVSS 7.8) – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
• CVE-2025-55692 (CVSS 7.8) – Windows Error Reporting Service Elevation of Privilege Vulnerability
• CVE-2025-55694 (CVSS 7.8) – Windows Error Reporting Service Elevation of Privilege Vulnerability
• CVE-2025-58722 (CVSS 7.8) – Microsoft DWM Core Library Elevation of Privilege Vulnerability
• CVE-2025-59199 (CVSS 7.8) – Software Protection Platform (SPP) Elevation of Privilege Vulnerability
• CVE-2025-59502 (CVSS 7.5) – Remote Procedure Call Denial of Service Vulnerability
• CVE-2025-48004 (CVSS 7.4) – Microsoft Brokering File System Elevation of Privilege Vulnerability
• CVE-2025-55693 (CVSS 7.4) – Windows Kernel Elevation of Privilege Vulnerability
• CVE-2025-55681 (CVSS 7.0) – Desktop Windows Manager Elevation of Privilege Vulnerability
• CVE-2025-59194 (CVSS 7.0) – Windows Kernel Elevation of Privilege Vulnerability
• CVE-2025-55676 (CVSS 5.5) – Windows USB Video Class System Driver Information Disclosure Vulnerability

Apply the October 2025 Microsoft Security Updates

This month’s Patch Tuesday delivers important fixes for multiple actively exploited and high-severity vulnerabilities, making swift deployment essential to limit risk. The complete list of addressed CVEs can be found in Microsoft’s release notes.

October 2025 also marks a turning point for Windows 10, which receives its final free security updates this month. Those who need continued protection can extend coverage through Microsoft’s Extended Security Updates (ESU) program, offering limited support for up to three additional years.

Meanwhile, Windows 11 users faced a brief setback this month after the Patch Tuesday update (KB5066835) disrupted applications connecting to localhost (127.0.0.1) over HTTP/2, breaking tools such as Visual Studio debugging and Duo Desktop. Microsoft has since confirmed the issue and released a Known Issue Rollback (KIR) fix to restore normal functionality through Windows Update.

To strengthen defenses beyond patching, SOCRadar’s Attack Surface Management (ASM) module provides continuous monitoring for exposed assets and new vulnerabilities. Pairing proactive visibility with timely updates helps organizations stay protected against fast-moving threats.