Microsoft Patch Tuesday for October 2025 was massive, delivering over 170 security fixes, making immediate patching mandatory due to the volume and critical nature of the vulnerabilities across Windows, Office, and Azure cloud services.
Critical Zero-Day Exploits: Active Attacks Fixed
Three zero-day flaws confirmed to be under active attack were patched. These included two critical Elevation of Privilege (EoP) bugs in Windows and a Secure Boot bypass:
CVE-2025-24990 (Windows Agere Modem Driver EoP – CVSS 7.8, High): This actively exploited flaw was fixed by permanently removing the obsolete driver (ltmdm64.sys) from Windows. Fax modem hardware relying on this driver will cease to function on updated systems.
CVE-2025-59230 (Windows Remote Access Connection Manager EoP – CVSS 7.8, High): An improper access control bug that allows an authenticated local attacker to gain SYSTEM-level privileges in the Remote Access Connection Manager (RasMan).
CVE-2025-47827 (Secure Boot Bypass in IGEL OS – CVSS 8.4, High): This third-party flaw compromises the Secure Boot trust chain via the igel-flash-driver module, allowing a malicious file system to entirely bypass security.
High-Priority Server and Web Threats
Server administrators must prioritise Critical RCE flaws with near-perfect CVSS scores:
WSUS Critical RCE (CVE-2025-59287, CVSS 9.8, Critical): A deserialization bug allows an unauthenticated, remote attacker to completely take over the Windows Server Update Service (WSUS) server, granting widespread network control.
ASP.NET Core Bypass (CVE-2025-55315, CVSS 9.9, Critical): An HTTP request smuggling flaw, exploitable by a low-privileged, authenticated attacker. It can severely compromise multi-tenant web applications’ confidentiality and integrity, affecting the Microsoft.AspNetCore.Server.Kestrel.Core package (for some versions).
Windows Graphics Component (CVE-2025-49708, CVSS 9.9, Critical): A memory corruption bug, specifically a Use-After-Free flaw, that presents a remote path for full system compromise at the kernel level.
Office, Cloud, and AI Fixes
Crucial vulnerabilities were also addressed in end-user and enterprise services:
Office RCEs:
Multiple RCEs were patched. High-priority flaws (CVE-2025-59234 and CVE-2025-59236, both CVSS 7.8, High) allow code execution by opening a malicious file. CVE-2025-59227 (CVSS 7.8, High) is critical as it can be exploited via the Preview Pane without user interaction.
Azure and Confidential Computing:
Critical EoP flaws were fixed in Azure Entra ID (CVE-2025-59246, CVSS 9.8, a Missing Authentication for Critical Function bug; and CVE-2025-59218, CVSS 9.6) and Azure Compute Gallery (CVE-2025-59292, CVSS 8.2). A race condition impacting Azure Confidential Computing integrity in AMD EPYC SEV-SNP processors (CVE-2025-0033) was also fixed.
Copilot Spoofing:
Patches were issued for multiple Spoofing vulnerabilities (e.g., CVE-2025-59252, CVSS 6.5) to prevent attackers from showing misleading or ‘spoofed’ content in the generative AI assistant’s interface.
End-of-Life (EOL) Warning
This is the final Patch Tuesday for free security updates for major products, including Windows 10, Office 2016, and Exchange Server 2016. Organisations must immediately upgrade Windows 10 to Windows 11 or enrol in a paid Extended Security Update (ESU) program. Office 2016/2019 and Exchange Server 2016/2019 users must upgrade to a modern suite (like Microsoft 365) or Exchange Online/Subscription Edition to maintain security.
IMMEDIATE ACTION: Since several critical zero-days are actively exploited in the wild, installing these updates is the most urgent and necessary step for all users and administrators.
More details are available here.
Experts comments
“The first zero-day is a serious elevation of privilege flaw in the Windows Remote Access Connection Manager (RACMAN) service, which manages VPN and remote access connections,” said Mike Walters, President and Co-Founder of Action1, on Windows Remote Access Connection Manager Elevation of Privilege Vulnerability (CVE-2025-59230)
“It results from improper access controls (CWE-284), allowing a low-privileged authenticated attacker to gain SYSTEM-level rights. The issue likely stems from how RACMAN validates and processes commands from lower-privileged users without proper authorisation checks,” Walters added.
“This vulnerability is especially dangerous because SYSTEM privileges give an attacker full control of the affected machine. In attack chains, it can be used to escalate privileges after an initial compromise (for example, via phishing), to establish persistence, to bypass User Account Control, and, when paired with lateral movement, to enable more sophisticated attacks against domain controllers,” he warned.
