You are currently viewing Double Zero-Day Trouble: Microsoft Races to Contain Active Windows Exploits

Double Zero-Day Trouble: Microsoft Races to Contain Active Windows Exploits

  • Post author:
  • Reading time:3 mins read

In the ever-evolving landscape of cybersecurity, staying ahead of emerging threats is paramount. This October, Microsoft’s Patch Tuesday addressed a staggering 183 security flaws, a clear indication of the persistent challenges faced by software vendors in safeguarding their products. Among these fixes, two zero-day vulnerabilities in Windows, CVE-2025-24990 and CVE-2025-59230, are particularly noteworthy due to their active exploitation in the wild. These vulnerabilities highlight the importance of timely patching and proactive security measures to protect systems from potential attacks.

Affected Products

The two zero-day vulnerabilities affect the following products:

  • CVE-2025-24990: This vulnerability impacts all Windows systems, including Server 2025. The root cause lies within a legacy Agere Modem Driver (“ltmdm64.sys”) that is installed by default, irrespective of whether the hardware is present or in use.
  • CVE-2025-59230: This vulnerability affects the Windows Remote Access Connection Manager (RasMan). This is the first time a RasMan vulnerability has been exploited as a zero-day.

Impact & Exploit Potential

Both vulnerabilities could allow attackers to execute code with elevated privileges. Even if a system doesn’t utilize the vulnerable Agere driver, it remains susceptible to local attackers escalating privileges to administrator. This is particularly concerning as it broadens the attack surface across a wide range of Windows systems.

The exploitation of CVE-2025-59230 marks a significant event, being the first zero-day exploitation of a vulnerability within the Windows Remote Access Connection Manager (RasMan). This highlights the increasing attention threat actors are paying to previously less-targeted components of the Windows operating system.

Tactics, Techniques, and Procedures (TTPs)

Adversaries are actively exploiting these vulnerabilities to perform privilege escalation on affected systems. Understanding the tactics, techniques, and procedures (TTPs) associated with these exploits can help organizations better detect and respond to potential attacks.

  • TA0004 – Privilege Escalation: Attackers exploit these vulnerabilities to gain elevated privileges on a system.
  • T1068 – Exploitation for Privilege Escalation: By exploiting these vulnerabilities, attackers can execute code with elevated privileges, potentially gaining full control over the compromised system.

Mitigation & Recommendations

Given the active exploitation of these vulnerabilities, it is crucial to apply the patches released by Microsoft as part of the October 2025 Patch Tuesday update. Furthermore, since Microsoft is planning to remove the Agere Modem Driver entirely for CVE-2025-24990, organizations should prepare for this change and ensure compatibility with their systems.

The CISA KEV Catalog has added these vulnerabilities, mandating federal agencies to apply the patches by November 4, 2025. It is highly recommended that all organizations, regardless of sector, follow this guidance to mitigate potential risks.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.