249
Microsoft has released a comprehensive Patch Tuesday update package for October 2025, addressing a total of 175 vulnerabilities. These updates are crucial as they cover several critical severity issues and zero-day vulnerabilities. Additionally, these updates mark the final scheduled updates for most Windows 10 devices (Home, Pro, and Enterprise) as they reach their end-of-life.
Highlights of the October Patch Tuesday Updates
The October Patch Tuesday from Microsoft includes fixes for three zero-day vulnerabilities, with two of them being publicly disclosed and one actively exploited before a patch was available. These vulnerabilities were rated with a CVSS score of 7.8 and deemed important in severity. Here’s a brief overview of these vulnerabilities.
- CVE-2025-24990: This vulnerability, a privilege escalation issue in the Agere Modem driver, posed a risk to Windows systems. Microsoft confirmed active exploitation of this vulnerability and addressed it by removing the ltmdm64.sys driver in the October update.
- CVE-2025-24052: Another privilege escalation vulnerability in the Agere Modem driver, allowing admin privileges to attackers. While no active exploitation was confirmed, the vulnerability’s public disclosure made it potentially exploitable.
- CVE-2025-59230: This privilege escalation vulnerability in Windows Remote Access Connection Manager enabled authenticated attackers to gain SYSTEM privileges. Microsoft confirmed active exploitation of this vulnerability in the wild.
Third-Party Zero-Day Vulnerabilities Addressed by Microsoft
In addition to the zero-days, Microsoft’s October update bundle also includes fixes for three zero-day vulnerabilities affecting third-party services. One of these vulnerabilities, CVE-2025-47827 with a CVSS score of 4.6, involved a Secure Boot bypass in IGEL OS that was exploited before a patch was available.
The other two vulnerabilities, CVE-2025-0033 (CVSS 8.2) and CVE-2025-2884 (CVSS 5.3), had no active exploitation but were publicly known before patches were released.
Multiple Critical and Important Severity Vulnerabilities Patched
Aside from the zero-days, the October update bundle also addresses 15 critical-severity vulnerabilities across various products. Additionally, 157 important severity vulnerabilities and one moderate severity issue have been patched. These include a range of vulnerabilities such as privilege escalation issues, denial of service flaws, information disclosure vulnerabilities, remote code execution flaws, and more.
Some noteworthy vulnerabilities addressed in this update include:
- CVE-2025-59246 (CVSS 9.8): A privilege escalation vulnerability in Azure Entra ID, fully mitigated by Microsoft but deemed highly exploitable.
- CVE-2025-59218 (CVSS 9.6): Another privilege escalation flaw in Azure Entra ID, fully mitigated by Microsoft with a lower likelihood of exploitation.
- CVE-2025-49708 (CVSS 9.9): A use-after-free vulnerability in Microsoft Graphics Component that could allow an attacker to gain SYSTEM privileges.
- CVE-2025-59287 (CVSS 9.8): A code execution vulnerability in Windows Server Update Service due to deserialization of untrusted data.
Final Patch Tuesday for Windows 10 Users
The October updates mark the final Patch Tuesday for Windows 10 users, with only Windows 10 Enterprise LTSC/IoT LTSC users receiving future security updates. Regular users are encouraged to upgrade to Windows 11. For users unable to upgrade immediately, Microsoft offers 1 year of free security updates through ESU Plans.
Share your thoughts in the comments below.
