On October 2025 Patch Tuesday, Microsoft released fixes for 175+ vulnerabilities, including three zero-days under active attack: CVE-2025-24990, CVE-2025-59230, and CVE-2025-47827.
The actively exploited vulnerabilities are an unusual mix
CVE-2025-24990 is in the third-party driver (ltmdm64.sys) for the software-based Agere Modem, which is used for dial-up internet access and sending/receiving faxes.
The vulnerable driver was, until now, shipped natively with Windows and the vulnerability, which allows attackers to gain administrator privileges, has been exploited by attackers in the wild.
How widespread these attacks are is unknown, but Fabian Mosch, one of the researchers credited with flagging the flaw, posited that it might have been exploited for EDR evasion.
“Considering the vulnerable files are on all Windows systems, you should treat this as a broad attack and update quickly,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, advised.
Microsoft has removed the driver in the October cumulative update and advised all users to update, since the vulnerability can be exploited even if the modem is not in use. But, the company warned, the fax modem hardware dependent on the specific driver will no longer work on updated systems.
(CVE-2025-24052, another elevation of privilege vulnerability in this same driver has also been “fixed” by the driver’s removal. This one is not exploited in the wild, but was previously publicly disclosed.)
CVE-2025-59230 is an elevation of privilege vulnerability that affects the Windows Remote Access Connection Manager (aka RasMan), a service that manages dial-up and VPN connections.
“While RasMan is a frequent flyer on Patch Tuesday, appearing more than 20 times since January 2022, this is the first time we’ve seen it exploited in the wild as a zero day,” noted Satnam Narang, senior staff research engineer at Tenable.
The vulnerability affects all supported versions of Windows and Windows Server, and allows attackers to elevate their privileges to SYSTEM (i.e., to completely “own” the machine).
The flaw was reported by Microsoft’s threat intelligence analysts and its security response center, but no details have been shared about the breadth of the attacks in which it is being used. Still, all actively exploited flaws should be remediated as quickly as possible.
CVE-2025-47827 affects the Linux-based IGEL OS (before version 11) and allows attackers to bypass the Secure Boot process.
IGEL OS is most commonly used to repurpose Windows PCs as secure, centrally managed thin clients for virtual desktops, kiosks, and other single-purpose devices. Such devices are often used in healthcare, education, retail, and industrial settings.
“The impacts of a Secure Boot bypass can be significant, as threat actors can deploy a kernel-level rootkit, gaining access to the IGEL OS itself and, by extension then tamper with the Virtual Desktops, including capturing credentials,” Kev Breen, senior director of threat research at Immersive, pointed out.
“It should be noted that this is not a remote attack, and physical access is typically required to exploit this type of vulnerability, meaning that ‘evil-maid’ style attacks are the most likely vector affecting employees who travel frequently.”
Other vulnerabilities requiring quick action
For those how use Windows Server Update Service (WSUS), Childs advises patching CVE-2025-59287, which allows remote, unauthenticated attackers to exploit code with elevated privileges without user interaction.
“That means this is wormable between affected WSUS servers. Since WSUS remains a critical piece of anyone’s infrastructure, it’s an attractive target for those looking to do harm,” he explained.
Breen also noted that with WSUS being a trusted Windows service, attackers could potentially bypass some EDR detections that ignore or exclude it.
Narang says that Microsoft Office users should also take note of CVE-2025-59227 and CVE-2025-59234, a pair of remote code execution bugs that take advantage of “Preview Pane”, as the target doesn’t even need to open the malicious file for exploitation to occur.
Finally, CVE-2025-55315 is a critical Security Feature Bypass vulnerability in ASP.NET Core that despite being only exploitable by authenticated attackers, may allow them to view sensitive information (e.g., user’s credentials), make changes to file contents on the target server, or force a crash within the server.
While Microsoft deems the vulnerability less likely to be exploited, Ben McCarthy, lead cyber security engineer at Immersive, notes that security bypasses don’t typically get a 9.9 CVSS score.
“While it might be a security bypass, attackers can exploit this vulnerability with such ease and the fact that it is probably in a lot of external-facing applications using ASP.NET, justify its rating,” he noted.
“It is recommended that organizations try to patch this by upgrading their ASP.NET version when they can, first test their code base works in the newer version of ASP.NET then ensure they upgrade.”
Windows 10 reaches end-of-support
As a reminder: this month, Microsoft is ending support for Windows 10, but also for Office 2016 and 2019, and Exchange Server 2016 and 2019.
Office users can switch to Office 2024, Microsoft 365 (cloud-based software-as-a-service for which you need a subscription), or a non-Microsoft alternative (e.g. LibreOffice, WPS Office, etc.)
Exchange users can migrate to Microsoft’s cloud-based Exchange or, if they want to retain control over their data, upgrade to Exchange Server Subscription Edition. Or they can move off Exchange entirely, to an alternative mail platform.
Windows 10 users and enterprises can can sign up for the Extended Security Updates (ESU) program (European users have more favorable conditions), upgrade to Windows 11, or remain on Windows 10 and opt for micropatching. And, of course, switching to another OS is also an option.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
