October is shaping up to be a particularly demanding month for system administrators, as Microsoft has rolled out security updates addressing a staggering 172 vulnerabilities, including six classified as zero-days. Among these, three vulnerabilities are currently being actively exploited, raising the stakes for organizations reliant on Microsoft products.
The first of these zero-days, CVE-2025-59230, is a local elevation of privilege (EoP) vulnerability found in the Windows Remote Access Connection Manager. Rapid7’s lead software engineer, Adam Barnett, cautioned that this flaw requires no user interaction, making it a prime candidate for inclusion in an attacker’s toolkit. “There’s very little information in the advisory itself, but someone out there knows exactly how to exploit this vulnerability,” he remarked, highlighting the urgency for administrators to act swiftly.
Another notable vulnerability, CVE-2025-24990, also presents an EoP risk, this time linked to the Agere Modem driver (ltmdm64.sys) that comes bundled with Windows. In a surprising move, Microsoft has opted to remove this driver altogether rather than patch the flaw. Ben McCarthy, lead cybersecurity engineer at Immersive, emphasized the implications of this decision, stating, “This driver, which supports hardware from the late 1990s and early 2000s, predates current secure development practices and has remained largely unchanged for years.” He further explained that kernel-mode drivers operate with the highest system privileges, making them attractive targets for attackers aiming to escalate their access. “Microsoft’s decision to remove the driver entirely is a direct response to the risks associated with modifying unsupported, third-party legacy code,” he added.
The third zero-day, CVE-2025-47827, is a secure boot bypass vulnerability affecting IGEL OS, a third-party operating system designed for virtual desktop infrastructure. Kev Breen, senior director of threat research at Immersive, noted that a proof of concept for this vulnerability has been available since May, making exploitation relatively straightforward. “The impacts of a secure boot bypass can be significant, as threat actors can deploy a kernel-level rootkit, gaining access to the IGEL OS itself and, by extension, tamper with the virtual desktops, including capturing credentials,” he explained. Breen also pointed out that while this vulnerability is not a remote attack, physical access is typically required, making it particularly concerning for employees who travel frequently.
Three Publicly Disclosed Zero-Days
In addition to the actively exploited vulnerabilities, three more zero-days have been publicly disclosed but remain unexploited:
- CVE-2025-0033: a critical vulnerability in AMD EPYC processors utilizing Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP), for which a patch has yet to be released.
- CVE-2025-24052: an EoP vulnerability in the Agere Modem driver, similar to CVE-2025-24990.
- CVE-2025-2884: an out-of-bounds read vulnerability in TCG TPM2.0 that could lead to information disclosure or denial of service.
This month marks the final Patch Tuesday during which Windows 10 users will receive free updates. To continue receiving patches, both consumers and business customers will need to enroll in Microsoft’s Extended Security Updates (ESU) scheme, underscoring the evolving landscape of cybersecurity and the importance of proactive measures in safeguarding systems.
