1
Microsoft has rolled out a huge Patch Tuesday update bundle for October 2025, addressing 175 different vulnerabilities. These updates are important in that they address several critical severity issues and zero-day flaws. Moreover, they are the last scheduled updates for most Windows 10 devices (Home, Pro, and Enterprise) as they reach their end-of-life.
At least 3 Zero-Days, 16 Critical Security Fixes Released
With October Patch Tuesday, Microsoft has addressed three zero-day vulnerabilities, of which two were publicly disclosed and one was exploited before a patch could arrive. All three vulnerabilities received a CVSS score of 7.8 with an important severity rating. Here is a quick breakdown of these vulnerabilities.
- CVE-2025-24990: A privilege escalation vulnerability in the Agere Modem driver risked Windows systems as it ships natively with the OS. Exploiting the vulnerability didn’t require the modem to be in use, giving admin privileges to an adversary. Microsoft confirmed detecting active exploitation of this vulnerability. They addressed the flaw by removing the ltmdm64.sys driver with the October update.
- CVE-2025-24052: Another privilege escalation vulnerability in the Agere Modem driver that allowed admin privileges to an attacker. While Microsoft confirmed detecting no active exploitation of this flaw, they admitted the vulnerability’s public disclosure before a fix, making it likely exploitable.
- CVE-2025-59230: A privilege escalation vulnerability impacting Windows Remote Access Connection Manager due to improper access control. An authenticated attacker could exploit the flaw to gain SYSTEM privileges. Microsoft confirmed active exploitation of this vulnerability in the wild.
Third-Party Zero-Day Fixes Shipped With October Patch Tuesday From Microsoft
In addition, the update bundle also includes fixes for three other zero-days affecting third-party services. One of these vulnerabilities, CVE-2025-47827 (CVSS 4.6; important severity) – Secure Boot bypass in IGEL OS, went under attack before a patch.
For the other two vulnerabilities, CVE-2025-0033 (CVSS 8.2; critical) – RMP corruption during SNP initialization, and CVE-2025-2884 (CVSS 5.3; important severity) – an out-of-bounds read vulnerability in TCG TPM2.0 reference implementation, Microsoft confirmed no active exploitation. However, these two flaws became publicly known before a patch could arrive.
Over A Dozen Critical, 150+ Important Severity Vulnerabilities Also Fixed
Apart from the zero-days, this month’s update bundle also addresses 15 different critical-severity vulnerabilities across different products. Moreover, 157 important severity vulnerabilities and a single moderate severity issue have also received patches. These include 83 privilege escalation vulnerabilities, 11 denial of service flaws, 26 information disclosure issues, 30 remote code execution flaws, 10 security feature bypass, 14 spoofing vulnerabilities, 1 cross-site scripting vulnerability, and 1 tampering flaw.
Below, we list some noteworthy vulnerabilities.
- CVE-2025-59246 (CVSS 9.8; critical): It’s a privilege escalation vulnerability in Azure Entra ID that caught the attention of security researcher Dylan Ryan-Zilavy. Microsoft confirmed that it has fully mitigated this issue already, requiring no further action from the users. Yet, they deem this issue to have a high exploitability.
- CVE-2025-59218 (CVSS 9.6; critical): Another privilege escalation flaw in Azure Entra ID Microsoft has fully mitigated, while confirming its exploitation as less likely. The firm credited the security researcher Vladimir Abramzon for reporting the flaw.
- CVE-2025-49708 (CVSS 9.9; critical): A use-after-free in Microsoft Graphics Component that would allow an authorized attacker to gain SYSTEM privileges over a target network. Exploiting the flaw required the attacker to access the local guest VM to target the Host OS.
- CVE-2025-59287 (CVSS 9.8; critical): A code execution vulnerability that riddled Windows Server Update Service due to deserialization of untrusted data. An unauthorized adversary could execute code by sending a maliciously crafted event that triggers unsafe object deserialization in a legacy serialization mechanism.
Microsoft Ensures October Updates Are The Last Patch Tuesday For Windows 10
This month’s update bundle is the last update for Windows 10 users. Moving forward, only Windows 10 Enterprise LTSC/IoT LTSC users would receive the security updates, as the tech giant requires the regular users (Home/Pro/Enterprise) to upgrade their devices to Windows 11. For users where an immediate update isn’t possible, Microsoft offers 1 year of free security updates by letting them enroll in the ESU Plans.
Let us know your thoughts in the comments.
