Microsoft Tackles 6 Zero-Days and 172 Fixes in October 2025 Patch Tuesday

The second Tuesday of the month has arrived, and so has another major round of Microsoft security updates. For October 2025, Microsoft has released fixes for a total of 172 vulnerabilities, including 6 actively exploited zero-day flaws and 8 rated as Critical in severity.

According to Microsoft’s advisories and analyses by BleepingComputer and Qualys, the patch bundle spans nearly all major Microsoft product lines – from Windows kernel components to Office, Azure, and TPM2.0 implementations. Once again, Elevation of Privilege (EoP) flaws dominate the chart, followed by Remote Code Execution (RCE) issues.

This month’s release also marks a major milestone. Windows 10 has officially reached the end of support, making this the final regular security update for most Windows 10 editions outside of the paid Extended Security Updates (ESU) program.

Summary Overview

Category	Number of Flaws
Total Vulnerabilities	172
Zero-Days	6 (actively exploited)
Critical	8
Important	123
Elevation of Privilege	80
Remote Code Execution	31
Information Disclosure	28
Denial of Service	11
Security Feature Bypass	11
Spoofing	10

Key takeaway: Local privilege escalations remain the most common vulnerability type, but several RCE and Secure Boot bypass issues elevate this month’s risk profile.

Vulnerability Highlights

CVE-2025-24990: Agere Modem Driver Elevation of Privilege (Zero-Day)

This zero-day flaw in the legacy Agere Systems modem driver (ltmdm64.sys) allows local attackers to escalate privileges to SYSTEM on Windows systems. The vulnerable driver, distributed with various Windows versions, was found to expose kernel-level access paths due to improper input validation.

Instead of patching the driver, Microsoft has opted to remove it entirely from affected Windows builds. While this decisively mitigates the flaw, it also disables fax and dial-up modem functionality on systems where the driver was still in use.

This vulnerability is being actively exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities (KEV) list, with a remediation deadline of November 4, 2025.

CVE-2025-59230: Remote Access Connection Manager (RASMan) Elevation of Privilege (Zero-Day)

A second zero-day affecting the Windows Remote Access Connection Manager (RASMan) service enables attackers with local access to gain SYSTEM privileges due to improper permission handling. The vulnerability is reportedly being exploited in targeted attacks.

Microsoft’s patch strengthens access controls in RASMan to prevent unauthorized privilege escalation. Like CVE-2025-24990, this flaw also appears in CISA’s KEV catalog, and prompt patching is strongly advised for all Windows environments.

CVE-2025-47827: Secure Boot Bypass in IGEL OS (Zero-Day)

Another critical zero-day, this time targeting the Secure Boot chain in IGEL OS (versions prior to 11). The flaw enables attackers with physical or administrative access to bypass Secure Boot validation, potentially compromising firmware-level trust and boot integrity.

While updates are available for most affected systems, Azure Confidential Computing (ACC) clusters running on AMD hardware remain partially exposed. Microsoft is coordinating additional patches for those configurations.
This vulnerability reinforces the trend of attackers probing deeper into hardware-assisted trust mechanisms and virtualization layers.

CVE-2025-0033: AMD SEV-SNP Hypervisor Vulnerability (Zero-Day)

This zero-day affects AMD processors using Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP). A race condition in the Reverse Map Table (RMP) initialization allows a malicious or compromised hypervisor to modify memory mappings in guest VMs before the entries are locked, potentially undermining memory integrity.

Although no plaintext data or cryptographic keys are exposed, the flaw requires privileged access on the host, making it particularly relevant in multi-tenant or cloud environments. Azure Confidential Computing clusters using AMD hardware are being updated in phases, and affected customers are notified through Azure Service Health.

This vulnerability demonstrates that infrastructure-level features, not just OS components, can be at risk, highlighting the importance of patching hypervisors and monitoring virtualized environments.

CVE-2025-24052: Agere Modem Driver Elevation of Privilege (Zero-Day)

This vulnerability is a second flaw in the Agere modem driver and allows local attackers to gain administrative privileges. Unlike typical driver flaws, Microsoft notes that this issue affects all supported versions of Windows, even if the modem hardware is not actively in use.

To mitigate the risk, Microsoft has removed the legacy ltmdm64.sys driver in this cumulative update. This removal may disable associated modem hardware functions (e.g., fax/modem devices), so organizations relying on such hardware should plan accordingly.

This flaw highlights that legacy drivers can remain a significant risk, even on systems that no longer use the physical hardware, underscoring Microsoft’s move to phase out outdated or insecure components.

CVE-2025-2884: TPM 2.0 Reference Implementation Out-of-Bounds Read (Zero-Day)

This bug exists in the Trusted Platform Module (TPM) 2.0 reference implementation and stems from improper validation in the CryptHmacSign helper. The flaw could lead to an out-of-bounds read condition and, in certain virtualized or cloud environments (like AMD SEV-SNP), affect system integrity or enable side-channel data inference.

Microsoft addressed the issue by improving input validation and locking mechanisms in TPM components.
Although not under active exploitation, it’s an important reminder that supply-chain and firmware dependencies can present hidden risks even outside user-space code.

Affected Products and Solutions

The October 2025 updates apply across a broad range of Microsoft technologies:

Windows (client & server): multiple privilege escalation and kernel-level vulnerabilities
Microsoft Office Suite (Word, Excel, PowerPoint, Visio): memory corruption and RCE flaws
Azure & Azure Confidential Computing: Secure Boot and virtualization issues
.NET and Visual Studio: code execution and information disclosure flaws
TPM 2.0 Reference Implementation: cryptographic boundary violations
IGEL OS (pre-v11): Secure Boot integrity bypass
Legacy Components: Agere modem driver (removed), RASMan, LSASS, SMB, and NTFS subsystems

The full list of affected products is as follows:

.NET
.NET Framework
Visual Studio
Active Directory Federation Services
Agere Windows Modem Driver
AMD Restricted Memory Page
ASP.NET Core
Azure Connected Machine Agent
Azure Entra ID
Azure Local
Azure Monitor
Azure Monitor Agent
Azure PlayFab
Confidential Azure Container Instances
Connected Devices Platform Service (Cdpsvc)
Copilot
Data Sharing Service Client
Games
GitHub
Inbox COM Objects
Internet Explorer
JDBC Driver for SQL Server
Mariner
Microsoft Brokering File System
Microsoft Configuration Manager
Microsoft Defender for Linux
Microsoft Edge (Chromium-based)
Microsoft Exchange Server
Microsoft Failover Cluster Virtual Driver
Microsoft Graphics Component
Microsoft Office
Microsoft Office Excel
Microsoft Office PowerPoint
Microsoft Office SharePoint
Microsoft Office Visio
Microsoft Office Word
Microsoft PowerShell
Microsoft Windows
Microsoft Windows Codecs Library
Microsoft Windows Search Component
Microsoft Windows Speech
Network Connection Status Indicator (NCSI)
NtQueryInformation Token function (ntifs.h)
Redis Enterprise
Remote Desktop Client
Software Protection Platform (SPP)
Storport.sys Driver
TCG TPM2.0
Virtual Secure Mode
Windows Ancillary Function Driver for WinSock
Windows Authentication Methods
Windows BitLocker
Windows Bluetooth Service
Windows Cloud Files Mini Filter Driver
Windows COM
Windows Connected Devices Platform Service
Windows Core Shell
Windows Cryptographic Services
Windows Device Association Broker service
Windows Digital Media
Windows DirectX
Windows DWM
Windows DWM Core Library
Windows Error Reporting
Windows ETL Channel
Windows Failover Cluster
Windows File Explorer
Windows Health and Optimized Experiences Service
Windows Hello
Windows High Availability Services
Windows Hyper-V
Windows Kernel
Windows Local Session Manager (LSM)
Windows Management Services
Windows MapUrlToZone
Windows NDIS
Windows NTFS
Windows NTLM
Windows PrintWorkflowUserSvc
Windows Push Notification Core
Windows Remote Access Connection Manager
Windows Remote Desktop
Windows Remote Desktop Protocol
Windows Remote Desktop Services
Windows Remote Procedure Call
Windows Resilient File System (ReFS)
Windows Resilient File System (ReFS) Deduplication Service
Windows Routing and Remote Access Service (RRAS)
Windows Secure Boot
Windows Server Update Service
Windows SMB Client
Windows SMB Server
Windows SSDP Service
Windows StateRepository API
Windows Storage Management Provider
Windows Taskbar Live
Windows USB Video Driver
Windows Virtualization-Based Security (VBS) Enclave
Windows WLAN Auto Config Service
Xbox
XBox Gaming Services

Remediation Steps

Test before deployment on systems using legacy modem/fax hardware; the Agere driver removal may affect functionality.
Monitor Azure environments for pending Secure Boot fixes (especially AMD ACC clusters).
Verify patch installation and audit logs to confirm remediation success.
Plan for Windows 10 end of life: Migrate to Windows 11 or subscribe to the Extended Security Updates (ESU) program.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.