As we know, every second Tuesday of the month, Microsoft releases security patches for its products. This cycle, known as Patch Tuesday, is key to keeping systems protected against new threats. And the October 2025 bulletin was no exception: Microsoft released no fewer than 172 updates, including six zero-day vulnerabilities, two of which are already being actively exploited in real-world attacks.
This volume of patches reflects the constant growth of the threat landscape, with critical flaws affecting everything from Office applications to the core of the Windows operating system. Among the most severe issues are remote code execution (RCE) vulnerabilities and privilege escalation bugs — both highly sought after by cybercriminals to compromise systems.
In addition, these updates arrive at an important time: many organizations are in the midst of the Windows 10 end-of-support transition, making timely patching more critical than ever to prevent breaches — especially amid increasingly sophisticated threats from ransomware groups and state-sponsored attackers.
Overall, the fixes cover a wide range of Microsoft products, including Windows, Microsoft Office, Azure, Exchange Server, and more.
At TecnetOne, we want you to stay informed about these updates and best cybersecurity practices. That’s why we recommend regularly reviewing the security bulletins on our TecnetBlog, applying patches as soon as possible, and maintaining a proactive protection strategy. Prevention remains the best defense.
What types of vulnerabilities were fixed this month?
As usual, the patched vulnerabilities are grouped into different categories according to the type of threat they represent. In the October 2025 bulletin, the most common issues were privilege escalation vulnerabilities, once again topping the list. Here’s the full breakdown:
-
80 privilege escalation vulnerabilities – These allow attackers to gain higher privileges than intended, potentially leading to full system compromise if left unpatched.
-
11 security feature bypass vulnerabilities – Allow attackers to disable or evade built-in system protections.
-
31 remote code execution (RCE) vulnerabilities – Extremely dangerous, as they let attackers execute malicious code remotely without physical interaction.
-
28 information disclosure vulnerabilities – Could expose sensitive data to unauthorized parties.
-
11 denial-of-service (DoS) vulnerabilities – Can be used to disrupt or slow down key services, affecting system availability.
-
10 spoofing vulnerabilities – Allow attackers to impersonate legitimate users or services to deceive systems or people.
This breakdown gives us a clear view of where the greatest risks lie this month — and why it’s crucial to apply patches promptly.
Six Zero-Day Vulnerabilities Take the Spotlight in Microsoft’s October 2025 Patch Tuesday
As a reminder, a zero-day vulnerability is any flaw that has been publicly disclosed or actively exploited before an official patch is available. In this cycle, Microsoft addressed several of these critical vulnerabilities affecting Windows, SQL Server, TPM 2.0, and even third-party operating systems like IGEL OS.
1. CVE-2025-24990 – Privilege Escalation via Agere Modem Driver
One of the most notable actively exploited vulnerabilities, CVE-2025-24990, impacts the Agere modem driver natively included in supported versions of Windows.
Microsoft confirmed that attackers were using this driver to gain administrative privileges, prompting the company to remove it entirely as part of this update. The affected file, ltmdm64.sys, will no longer be present after installing the October patch.
However, Microsoft warns that this change will also render fax modems that depend on the driver inoperative.
2. CVE-2025-59230 – Privilege Escalation in Windows Remote Access Connection Manager
Another actively exploited zero-day is CVE-2025-59230, a flaw in the Windows Remote Access Connection Manager that allows a local attacker to escalate privileges to SYSTEM, the highest level in Windows.
Microsoft explained that this is caused by improper access control, and although it’s not trivial to exploit, it requires significant technical preparation by the attacker.
3. CVE-2025-47827 – Secure Boot Bypass in IGEL OS < v11
Although not a Microsoft product, the company included a fix for IGEL OS, a system used in corporate environments and thin clients.
CVE-2025-47827 allows attackers to bypass Secure Boot due to incorrect verification of cryptographic signatures in the igel-flash-driver module. This enables mounting of root file systems from malicious, unsigned images, paving the way for persistent malware installation.
Publicly Disclosed (but Not Necessarily Exploited) Zero-Days
Microsoft also acknowledged three additional zero-day vulnerabilities that were publicly disclosed, though not all have been confirmed as actively exploited at the time of patch release.
4. CVE-2025-0033 – Vulnerability in AMD EPYC Processors (SEV-SNP)
This issue, attributed to AMD, affects servers using SEV-SNP (Secure Encrypted Virtualization – Secure Nested Paging). The flaw lies in the initialization of the Reverse Map Table (RMP) and could allow a malicious hypervisor to tamper with a virtual machine’s protected memory.
While the risk of plaintext data exposure is low, it poses a significant threat to memory integrity in virtualized environments. Microsoft is still developing patches for Azure Confidential Computing clusters based on AMD processors and will notify affected customers through Azure Service Health once available.
5. CVE-2025-24052 – Second Flaw in the Agere Modem Driver
Closely related to CVE-2025-24990, CVE-2025-24052 also affects the Agere modem driver and was publicly disclosed.
Microsoft highlights that this flaw can be exploited even if the modem is inactive or unused, extending the risk to virtually all supported versions of Windows.
6. CVE-2025-2884 – Out-of-Bounds Read in TCG TPM 2.0
Lastly, a vulnerability was fixed in the reference implementation of Trusted Platform Module (TPM) 2.0, widely used in modern systems to protect boot integrity and system trust.
CVE-2025-2884 resides in the CryptHmacSign function and stems from incomplete validation of signature algorithms. It could lead to an out-of-bounds read, resulting in information disclosure or potentially causing a denial of service in the TPM module.
Read more: What is Third-Party Patch Management?
October 2025 Patch Tuesday Security Updates
Below is a summary by category, highlighting the most affected products and the most critical types of vulnerabilities.
| Product / Component | CVE / Vulnerability | Type | Severity | Key Notes |
|---|---|---|---|---|
| Windows (general) | Multiple (80+) | Privilege Escalation | Important → Critical | Affects Kernel, Bluetooth, NTFS, Speech, SSDP, and more |
| Windows | CVE-2025-59230 | Privilege Escalation | Important | Zero-day exploited – Remote Access Connection Manager |
| Windows | CVE-2025-47827 | Secure Boot Bypass | Important | IGEL OS < v11 – Secure Boot bypass |
| Windows | CVE-2025-59287 | Remote Code Execution (RCE) | Critical | Windows Server Update Services (WSUS) – No authentication required |
| Windows – NTLM | CVE-2025-59185, CVE-2025-59244 | Spoofing | Important | NTLM hash disclosure |
| Microsoft Office / Excel | CVE-2025-59234, CVE-2025-59236, others | RCE via malicious files | Critical | Zero-day – Heavily used in phishing campaigns |
| Microsoft Exchange Server | CVE-2025-59248, CVE-2025-59249 | Privilege Escalation, Spoofing | Important | Enterprise environment fixes |
| Azure Entra ID | CVE-2025-59218, CVE-2025-59246 | Privilege Escalation | Critical | High impact on cloud authentication |
| Azure (general) | CVE-2025-59291, CVE-2025-59292 | Privilege Escalation | Critical | Impacts Compute Gallery / Container Instances |
| Azure Monitor / Connected Agent | CVE-2025-59285, CVE-2025-59494 | Privilege Escalation | Important | Affects cloud workload monitoring |
| TPM 2.0 (Trusted Platform Module) | CVE-2025-2884 | Out-of-bounds Read / Info Leak | Important | Public zero-day – Secure Boot module vulnerability |
| AMD SEV-SNP (EPYC Processors) | CVE-2025-0033 | Memory Corruption (RMP) | Critical | Integrity risk for virtual machines – patch pending in Azure |
| Agere Modem Driver (Windows) | CVE-2025-24990, CVE-2025-24052 | Privilege Escalation | Important | Zero-day exploited – Microsoft removed driver |
| .NET / Visual Studio | CVE-2025-55247, CVE-2025-55248 | Privilege Escalation, Info Leak | Important | Impacts development and deployment environments |
| Microsoft Edge (Chromium) | Multiple (CVE-2025-112xx, etc.) | RCE, Info Leak | Unknown | Based on Chromium project vulnerabilities |
| Microsoft Copilot / M365 | CVE-2025-59272, CVE-2025-59252, CVE-2025-59286 | Spoofing | Critical | AI-integrated platforms at risk |
| Windows COM Services | CVE-2025-58732 to CVE-2025-58738 | Remote Code Execution (RCE) | Important | Affects multiple Windows COM components |
| Microsoft Defender for Linux | CVE-2025-59497 | Denial of Service (DoS) | Important | Relevant for hybrid security environments |
| Microsoft PowerShell | CVE-2025-25004 | Privilege Escalation | Important | May allow privileged command execution |
| BitLocker (Windows) | CVE-2025-55332, CVE-2025-55338, others | Security Feature Bypass | Important | Potential encryption deactivation risk |
Note: This table only summarizes the most notable vulnerabilities. The full bulletin includes over 100 CVEs related to Windows, Office, Azure, Edge, Visual Studio, and third-party hardware. For complete technical details, we recommend checking Microsoft’s official Security Update Guide.
Why Does This Matter?
The presence of six zero-day vulnerabilities in a single bulletin highlights how urgent it is to apply these updates immediately. Some of these flaws are already being actively exploited, while others—though not yet observed in attacks—are publicly disclosed and could soon become the focus of new threat campaigns.
Moreover, these vulnerabilities span multiple environments: they affect on-premises infrastructure (such as Windows, SQL Server, and Exchange Server), cloud and virtualized systems (including Azure and IGEL OS), and even hardware platforms like AMD processors with SEV-SNP technology. This means organizations of every type—traditional, hybrid, or fully cloud-based—are potentially at risk.
From local privilege escalations and Secure Boot bypasses to memory-protection failures, the profile of these vulnerabilities reflects the increasing sophistication and diversity of today’s threat landscape.
TecnetOne's Recommendation: Applying security patches as soon as possible remains one of the most effective ways to defend systems against targeted attacks, malware, ransomware, and data breaches.
Neglecting updates leaves the door open to threats that are already scanning for exploitable weaknesses.
Keeping your systems fully updated is not just routine maintenance—it’s a foundational practice for any robust cybersecurity strategy.