Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws

hendryadrian.com

hendryadrian.com

Today is Microsoft’s October 2025 Patch Tuesday, which includes security updates for 172 flaws, including six zero-day vulnerabilities.

This Patch Tuesday also addresses eight “Critical” vulnerabilities, five of which are remote code execution vulnerabilities and three are elevation of privilege vulnerabilities.

The number of bugs in each vulnerability category is listed below:

• 80 Elevation of Privilege Vulnerabilities
• 11 Security Feature Bypass Vulnerabilities
• 31 Remote Code Execution Vulnerabilities
• 28 Information Disclosure Vulnerabilities
• 11 Denial of Service Vulnerabilities
• 10 Spoofing Vulnerabilities

When BleepingComputer reports on the Patch Tuesday security updates, we only count those released today by Microsoft. Therefore, the number of flaws does not include those fixed in Azure, Mariner, Microsoft Edge, and other vulnerabilities earlier this month.

Notably, Windows 10 reaches the end of support today, with this being the last Patch Tuesday where Microsoft provides free security updates to the venerable operating system.

To continue receiving security updates on Windows 10, consumers can sign up for a year of Extended Security Updates (ESU), and enterprises can sign up for a total of three years.

To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5066835 and KB5066793 updates.

6 zero-days in the October Patch Tuesday

This month’s Patch Tuesday fixes two publicly disclosed zero-day flaws in Windows SMB Server and Microsoft SQL Server. Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available.

The three exploited zero-days are:

CVE-2025-24990 – Windows Agere Modem Driver Elevation of Privilege Vulnerability

Microsoft is removing an Agere Modem driver that was abused to gain administrative privileges.

“Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems,” explains Microsoft.

“This is an announcement of the upcoming removal of ltmdm64.sys driver. The driver has been removed in the October cumulative update.”

Microsoft warns that removing this driver will cause related Fax modem hardware to cease functioning.

Microsoft has attributed the flaw to Fabian Mosch and Jordan Jay.

CVE-2025-59230 – Windows Remote Access Connection Manager Elevation of Privilege Vulnerability

Microsoft fixed a Windows Remote Access Connection Manager flaw that was exploited to gain SYSTEM privileges.

“Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally,” explains Microsoft.

Microsoft says attackers must “invest in some measurable amount of effort in preparation or execution” to successfully exploit the flaw.

The vulnerability has been attributed the flaw internally to Microsoft Threat Intelligence Center (MSTIC) & Microsoft Security Response Center (MSRC).

CVE-2025-47827 – MITRE CVE-2025-47827: Secure Boot bypass in IGEL OS before 11

Microsoft has added fixes for a Secure Boot bypass in IGEL OS.

“In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image,” explains Microsoft.

“MITRE created this CVE on their behalf. The documented Windows updates incorporate updates in IGEL OS which address this vulnerability. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.”

The flaw was discovered by Zack Didcott and publicly disclosed in a GitHub writeup.

The publicly exploited flaws are:

CVE-2025-0033 – AMD CVE-2025-0033: RMP Corruption During SNP Initialization

Microsoft is working on a fix for an AMD flaw that could impact memory integrity.

“CVE-2025-0033 is a vulnerability in AMD EPYC processors using Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP). It involves a race condition during Reverse Map Table (RMP) initialization that could allow a malicious or compromised hypervisor to modify RMP entries before they are locked, potentially impacting the integrity of SEV-SNP guest memory. This issue does not expose plaintext data or secrets and requires privileged control of the hypervisor to exploit,” explains Microsoft.

“Across Azure Confidential Computing products, multiple security guardrails are in place to prevent host compromise, combining isolation, integrity verification and continuous monitoring. All host operations follow audited and approved management pathways, with administrative access strictly controlled, limited and logged. Together, these protections reduce the risk of host compromise or unauthorized memory manipulation, helping ensure that confidential workloads and customer VMs maintain their confidentiality and integrity on Azure hosts.”

Microsoft states that the security updates for this vulnerability in Azure Confidential Computing’s (ACC) AMD-based clusters are not yet complete. Customers will be notified via Azure Service Health Alerts when they are available to deploy.

The flaws were publicly disclosed by AMD yesterday and discovered by Benedict Schlueter, Supraja Sridhara, and Shweta Shinde from ETH Zurich.

CVE-2025-24052 – Windows Agere Modem Driver Elevation of Privilege Vulnerability

This is a similar flaw to CVE-2025-24990, described above, which appears to have been publicly disclosed as well.

Microsoft reiterates that the flaw impacts all versions of Windows and that the modem does not have to be used to exploit the flaw.

“All supported versions of Windows can be affected by a successful exploitation of this vulnerability, even if the modem is not actively being used,” explains Microsoft.

This CVE is not attributed to any researchers.

CVE-2025-2884 – Cert CC: CVE-2025-2884 Out-of-Bounds read vulnerability in TCG TPM2.0 reference implementation

Microsoft has fixed a TCG TPM 2.0 flaw that could lead to information disclosure or denial of service of the TPM.

“CVE-2025-2884 is regarding a vulnerability in CG TPM2.0 Reference implementation’s CryptHmacSign helper function that is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key’s algorithm,” explains Microsoft.

“CERT/CC created this CVE on their behalf. The documented Windows updates incorporate updates in CG TPM2.0 Reference implementation which address this vulnerability. Please see CVE-2025-2884 for more information.”

The flaw has been attributed to the Trusted Computing Group (TCG) and an anonymous researcher. TCG publicly disclosed the flaw in this writeup.

Recent updates from other companies

Other vendors who released updates or advisories in October 2025 include:

• Adobe released security updates for various products.
• Cisco released patches for Cisco IOS, Cisco Unified Communications Manager, and Cyber Vision Center.
• Draytek released a security update for an pre-auth RCE flaw in several Vigor router models.
• Gladinet is warning customers of a CentreStack zero-day that was actively exploited to breach servers.
• Ivanti released security updates for Ivanti Endpoint Manager Mobile (EPMM) and Ivanti Neurons for MDM.
• Oracle released security updates for two actively exploited E-Business Suite zero-days in a very confusing way.
• Redis released security updates to patch a a maximum severity RCE vulnerability.
• SAP released the October security updates for multiple products, including a fix for a maximum severity command execution flaw in Netweaver.
• Synacor released a security update for a Zimbra Collaboration Suite zero-day exploited to steal data.

The October 2025 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the October 2025 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.