As the spooky season unfolds, Microsoft’s October Patch Tuesday has brought a chilling array of security updates, addressing a staggering 175 vulnerabilities across its platforms, alongside 21 additional non-Microsoft Common Vulnerabilities and Exposures (CVEs). Among these, the gravity of the situation is underscored by three vulnerabilities currently under active attack, three more that are publicly known, and a total of 17 classified as critical security risks.
Flaws Under Attack
Let’s delve into the vulnerabilities that have already caught the attention of attackers before Microsoft could release its patches:
- CVE-2025-24990: This elevation of privilege bug, rated at 7.8, resides in the Agere Modem driver, which is bundled with supported Windows operating systems. Exploitation of this flaw could allow attackers to gain administrator privileges across all supported Windows versions, making it a potential widespread threat. Microsoft has removed this driver in the October security update, so immediate installation is advised.
- CVE-2025-59230: Another 7.8-rated elevation of privilege vulnerability exists within the Windows Remote Access Connection Manager. Successful exploitation could grant attackers SYSTEM privileges. As noted by Dustin Childs from the Zero Day Initiative, such vulnerabilities are often paired with code execution flaws, amplifying the risk of complete system takeover. Prompt patching is essential.
- CVE-2025-47827: Rated at 4.6, this Secure Boot bypass flaw has been exploited in the Linux-based IGEL OS prior to version 11. The igel-flash-driver module fails to properly verify cryptographic signatures, allowing attackers to bypass Secure Boot. This makes it a high-priority fix.
Publicly Known Vulnerabilities
In addition to those under attack, three vulnerabilities are publicly known, indicating that attackers are likely scanning for susceptible systems:
- CVE-2025-0033: This critical vulnerability affects AMD EPYC processors utilizing Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP). While a patch is in development for Azure Confidential Computing’s AMD-based clusters, it is not yet available. Exploiting this vulnerability requires a race condition during Reverse Map Table (RMP) initialization, potentially allowing a compromised hypervisor to corrupt SEV-SNP guest memory. Fortunately, Microsoft reassures that this issue does not expose plaintext data or secrets and necessitates privileged control of the hypervisor for exploitation.
- CVE-2025-24052: Another 7.8-rated elevation of privilege vulnerability in the Agere Modem driver has been made public but remains unexploited—though its status may change rapidly.
- CVE-2025-2884: This publicly known out-of-bounds read vulnerability in the TCG TPM2.0 reference implementation’s CryptHmacSign helper function poses a risk of secret theft.
Beyond these alarming vulnerabilities, the October Patch Tuesday also highlighted 16 additional critical-severity flaws capable of enabling elevation of privileges, spoofing, and remote code execution (RCE). Notably, one such vulnerability, CVE-2025-59287, boasts a near-perfect 9.8 CVSS severity score. This flaw exists in the Windows Server Update Services (WSUS) and allows unauthenticated remote attackers to trigger unsafe object deserialization, leading to RCE. Childs warns that this vulnerability is likely to attract attention from malicious actors soon, stating, “This is wormable between affected WSUS servers,” emphasizing the critical nature of swift updates for those relying on WSUS.
Patch Updates from Adobe, SAP, and Ivanti
In conjunction with Microsoft’s updates, Adobe has released 12 updates addressing 36 vulnerabilities across its products, none of which are currently listed as exploited or publicly known. The updates for Adobe’s Substance 3D Stager include five critical CVEs that allow arbitrary code execution, while the Dimension patch rectifies four critical code execution vulnerabilities. Additionally, critical bugs in Illustrator and FrameMaker also present risks of code execution.
SAP has contributed to the patch landscape with 13 new security notes and four updates to previously released notes, four of which are rated critical. These include a fix for a maximum severity OS command execution flaw in Netweaver and an update to address a previously reported perfect-10-severity OS command execution bug.
Lastly, Ivanti has joined the patching efforts with advisories for Endpoint Manager Mobile (four CVEs) and Neurons for MDM (three CVEs). As these vulnerabilities have yet to be exploited, applying the updates promptly is crucial to avoid potential breaches.
