56
Microsoft has rolled out an enormous Patch Tuesday replace bundle for October 2025, addressing 175 totally different vulnerabilities. These updates are necessary in that they deal with a number of vital severity points and zero-day flaws. Furthermore, they’re the final scheduled updates for many Home windows 10 units (House, Professional, and Enterprise) as they attain their end-of-life.
Not less than 3 Zero-Days, 16 Important Safety Fixes Launched
With October Patch Tuesday, Microsoft has addressed three zero-day vulnerabilities, of which two had been publicly disclosed and one was exploited earlier than a patch may arrive. All three vulnerabilities obtained a CVSS rating of seven.8 with an necessary severity score. Here’s a fast breakdown of those vulnerabilities.
- CVE-2025-24990: A privilege escalation vulnerability within the Agere Modem driver risked Home windows programs because it ships natively with the OS. Exploiting the vulnerability didn’t require the modem to be in use, giving admin privileges to an adversary. Microsoft confirmed detecting energetic exploitation of this vulnerability. They addressed the flaw by eradicating the ltmdm64.sys driver with the October replace.
- CVE-2025-24052: One other privilege escalation vulnerability within the Agere Modem driver that allowed admin privileges to an attacker. Whereas Microsoft confirmed detecting no energetic exploitation of this flaw, they admitted the vulnerability’s public disclosure earlier than a repair, making it seemingly exploitable.
- CVE-2025-59230: A privilege escalation vulnerability impacting Home windows Distant Entry Connection Supervisor as a consequence of improper entry management. An authenticated attacker may exploit the flaw to realize SYSTEM privileges. Microsoft confirmed energetic exploitation of this vulnerability within the wild.
Third-Celebration Zero-Day Fixes Shipped With October Patch Tuesday From Microsoft
As well as, the replace bundle additionally consists of fixes for 3 different zero-days affecting third-party companies. Certainly one of these vulnerabilities, CVE-2025-47827 (CVSS 4.6; necessary severity) – Safe Boot bypass in IGEL OS, went below assault earlier than a patch.
For the opposite two vulnerabilities, CVE-2025-0033 (CVSS 8.2; vital) – RMP corruption throughout SNP initialization, and CVE-2025-2884 (CVSS 5.3; necessary severity) – an out-of-bounds learn vulnerability in TCG TPM2.0 reference implementation, Microsoft confirmed no energetic exploitation. Nonetheless, these two flaws grew to become publicly identified earlier than a patch may arrive.
Over A Dozen Important, 150+ Essential Severity Vulnerabilities Additionally Fastened
Other than the zero-days, this month’s replace bundle additionally addresses 15 totally different critical-severity vulnerabilities throughout totally different merchandise. Furthermore, 157 necessary severity vulnerabilities and a single reasonable severity subject have additionally obtained patches. These embody 83 privilege escalation vulnerabilities, 11 denial of service flaws, 26 data disclosure points, 30 distant code execution flaws, 10 safety function bypass, 14 spoofing vulnerabilities, 1 cross-site scripting vulnerability, and 1 tampering flaw.
Beneath, we checklist some noteworthy vulnerabilities.
- CVE-2025-59246 (CVSS 9.8; vital): It’s a privilege escalation vulnerability in Azure Entra ID that caught the eye of safety researcher Dylan Ryan-Zilavy. Microsoft confirmed that it has absolutely mitigated this subject already, requiring no additional motion from the customers. But, they deem this subject to have a excessive exploitability.
- CVE-2025-59218 (CVSS 9.6; vital): One other privilege escalation flaw in Azure Entra ID Microsoft has absolutely mitigated, whereas confirming its exploitation as much less seemingly. The agency credited the safety researcher Vladimir Abramzon for reporting the flaw.
- CVE-2025-49708 (CVSS 9.9; vital): A use-after-free in Microsoft Graphics Element that will permit a certified attacker to realize SYSTEM privileges over a goal community. Exploiting the flaw required the attacker to entry the native visitor VM to focus on the Host OS.
- CVE-2025-59287 (CVSS 9.8; vital): A code execution vulnerability that riddled Home windows Server Replace Service as a consequence of deserialization of untrusted knowledge. An unauthorized adversary may execute code by sending a maliciously crafted occasion that triggers unsafe object deserialization in a legacy serialization mechanism.
Microsoft Ensures October Updates Are The Final Patch Tuesday For Home windows 10
This month’s replace bundle is the final replace for Home windows 10 customers. Shifting ahead, solely Home windows 10 Enterprise LTSC/IoT LTSC customers would obtain the safety updates, because the tech large requires the common customers (House/Professional/Enterprise) to improve their units to Home windows 11. For customers the place a right away replace isn’t attainable, Microsoft presents 1 12 months of free safety updates by letting them enroll within the ESU Plans.
Tell us your ideas within the feedback.
