Patch Now: Microsoft Fixes 170+ Flaws, Including Four Actively Exploited Zero-Days

Microsoft's October 2025 Patch Tuesday Addresses Over 170 Vulnerabilities, Including Four Zero-Days Under Active Exploitation

CRITICAL
October 16, 2025
October 25, 2025
5m read
Patch ManagementVulnerability

Related Entities(initial)

Organizations

Microsoft CISA QualysLansweeper

Products & Tech

Microsoft Windows Microsoft OfficeMicrosoft ExcelWindows Server Update Service (WSUS)IGEL OS

CVE Identifiers

CVE-2025-24990
HIGH
CVSS:7.8
CVEDetails.com CVE.org
CVE-2025-59230
HIGH
CVSS:7.8
CVEDetails.com CVE.org
CVE-2025-47827
MEDIUM
CVSS:4.6
CVEDetails.com CVE.org
CVE-2025-59287
CRITICAL
CVSS:9.8
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1068Privilege Escalation

Exploitation for Privilege Escalation

T1548.002Privilege Escalation

Bypass User Account Control

T1547.001Persistence

Registry Run Keys / Startup Folder

T1218.011Defense Evasion

Rundll32

T1574.002Persistence

DLL Side-Loading

Full Report(when first published)

Executive Summary

Microsoft's October 2025 Patch Tuesday is one of the largest in recent memory, addressing over 170 vulnerabilities, including nine rated as critical. The urgency of this update is underscored by the inclusion of patches for four zero-day vulnerabilities confirmed to be under active exploitation. The most severe of these are two privilege escalation flaws: CVE-2025-24990 (CVSS 7.8) in a legacy Windows modem driver and CVE-2025-59230 (CVSS 7.8) in the Windows Remote Access Connection Manager (RasMan). Both can be used by an attacker with local access to gain elevated system privileges. A third exploited flaw, CVE-2025-47827, is a Secure Boot bypass related to a vulnerable IGEL OS component. CISA has added these three to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch by November 4, 2025. All organizations are strongly advised to prioritize the deployment of these critical updates to prevent exploitation.

Vulnerabilities Addressed

This month's release is extensive, but the primary focus is on the actively exploited zero-days. Attackers are leveraging these flaws in attack chains to take full control of compromised systems.

Actively Exploited Zero-Day Vulnerabilities:

  • CVE-2025-24990 - Windows Agere Modem Driver Elevation of Privilege (CVSS 7.8): A flaw in the legacy ltmdm64.sys driver, which is shipped with all versions of Windows. A local attacker can exploit this to gain administrator privileges. Microsoft's fix involves removing this outdated driver.
  • CVE-2025-59230 - Windows RasMan Elevation of Privilege (CVSS 7.8): A vulnerability in the Remote Access Connection Manager that allows a local attacker to escalate to SYSTEM-level rights. This is the first time a RasMan flaw has been seen exploited as a zero-day.
  • CVE-2025-47827 - IGEL OS Secure Boot Bypass (CVSS 4.6): A flaw in IGEL OS that was trusted by Microsoft's Secure Boot. The update revokes the trust for the vulnerable component, preventing a bypass of the Secure Boot security feature.
  • A fourth, undisclosed zero-day was also patched.

Other Critical Vulnerabilities:

  • CVE-2025-59287 - Windows Server Update Service (WSUS) RCE (CVSS 9.8): A critical remote code execution vulnerability in WSUS that could be leveraged for devastating supply-chain attacks, allowing an attacker to push malicious updates to clients.
  • CVE-2025-59234 & CVE-2025-59236 - Microsoft Office/Excel RCE: Remote code execution flaws that can be triggered by opening a malicious document.
  • CVE-2025-49708 - Microsoft Graphics Component EoP: A critical elevation of privilege flaw that can be exploited over the network.

Affected Products

The vulnerabilities impact a wide range of Microsoft products, including but not limited to:

  • All supported versions of Microsoft Windows and Windows Server
  • Microsoft Office and Excel
  • Windows Server Update Service (WSUS)
  • Azure Container Instances and Azure Compute Gallery
  • Microsoft Graphics Component
  • Windows Remote Access Connection Manager (RasMan)

Impact Assessment

The active exploitation of four zero-days makes this a high-risk patch cycle. The privilege escalation vulnerabilities (CVE-2025-24990 and CVE-2025-59230) are particularly dangerous. Threat actors, including ransomware groups, often use such flaws after gaining an initial foothold (e.g., via phishing) to escalate their privileges and take full control of a device and the network. The Secure Boot bypass (CVE-2025-47827) undermines a fundamental platform security feature, allowing attackers to load unsigned, malicious code during the boot process. The critical WSUS vulnerability (CVE-2025-59287) poses a systemic risk, as a compromise could lead to a widespread supply chain attack within an organization.

Cyber Observables for Detection

To hunt for exploitation of these vulnerabilities pre-patch, security teams can look for the following:

Type Value Description
file_name ltmdm64.sys The vulnerable Agere modem driver. Monitor for any processes accessing or loading this driver, as it is legacy hardware. The patch removes it.
process_name svchost.exe -k netsvcs -p The process hosting the RasMan service. Monitor for anomalous child processes or network connections originating from it.
event_id 4688 Windows Security Event ID for Process Creation. Monitor for suspicious command lines or processes being spawned by unusual parent processes.
log_source Microsoft-Windows-CodeIntegrity/Operational Windows Event Log for Code Integrity. Look for events related to Secure Boot policy or boot failures which might indicate bypass attempts.
registry_key HKLM\SYSTEM\CurrentControlSet\Services\RasMan Monitor for unauthorized modifications to the RasMan service configuration.

Deployment Priority

Given the active exploitation, a risk-based patching priority is essential.

  1. Critical Priority (Patch within 72 hours): All workstations and servers. The privilege escalation flaws affect nearly all Windows systems and are being used now. Internet-facing servers are also at high risk.
  2. High Priority (Patch within 1 week): WSUS servers. The CVE-2025-59287 flaw is critical and a compromise would be catastrophic.
  3. Medium Priority (Patch within standard cycle): Internal servers and other less-critical systems.

Federal agencies must adhere to the November 4, 2025, deadline set by CISA for the KEV-listed vulnerabilities.

Installation Instructions

Deploy the October 2025 security updates via standard channels:

  • Windows Update: For individual users and small businesses.
  • Windows Server Update Services (WSUS): For managed enterprise environments.
  • Microsoft Update Catalog: For manual download and deployment.

It is recommended to test the updates in a pilot group before broad deployment to identify any potential operational issues. After deployment, use vulnerability management tools to verify that the patches have been successfully applied and the vulnerabilities are remediated.

Timeline of Events

1
October 15, 2025
Microsoft releases its October 2025 Patch Tuesday updates.
2
October 16, 2025
This article was published
3
November 4, 2025
CISA's deadline for federal agencies to patch the exploited zero-days added to the KEV catalog.

Article Updates

October 25, 2025

Microsoft's October Patch Tuesday now addresses 193 flaws, including 6 zero-days, and marks the end of Windows 10 support. WSUS RCE received an out-of-band fix.

Update Sources:
blog.qualys.comMicrosoft and Adobe Patch Tuesday, October 2025 Security Update Review
helpnetsecurity.comMicrosoft releases urgent fix for actively exploited WSUS vulnerability (CVE-2025-59287)

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

The primary mitigation is to apply the security updates provided by Microsoft to fix the underlying vulnerabilities.

Mapped D3FEND Techniques:

D3-SU

Antivirus/Antimalware

M1049enterprise

Modern EDR and antivirus solutions can detect and block exploit attempts through behavioral analysis, even before specific signatures are available.

Mapped D3FEND Techniques:

D3-FCRD3-FHD3-PA

Privileged Account Management

M1026enterprise

Implementing least privilege by ensuring users do not have administrative rights on their workstations can limit the impact of a successful privilege escalation exploit.

Mapped D3FEND Techniques:

D3-DAMD3-LAMD3-SPP

Execution Prevention

M1038enterprise

Application control policies can prevent unauthorized executables from running, which could block the initial payload that an attacker uses before attempting to escalate privileges.

Mapped D3FEND Techniques:

D3-EALD3-EDL

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The most critical and effective countermeasure is to immediately deploy the October 2025 security updates from Microsoft. Prioritize patching based on risk: first, all Windows workstations and internet-facing servers to address the actively exploited privilege escalation and Secure Boot bypass flaws (CVE-2025-24990, CVE-2025-59230, CVE-2025-47827). Second, patch all WSUS servers to mitigate the critical RCE (CVE-2025-59287). Utilize automated patch management systems like WSUS or Microsoft Intune to ensure rapid and comprehensive deployment. For the legacy driver flaw (CVE-2025-24990), the update action is to remove the vulnerable ltmdm64.sys driver, effectively eliminating the attack surface. Post-deployment, run authenticated vulnerability scans to verify that the patches have been applied correctly and the CVEs are no longer detected in your environment.

Process Analysis

D3-PAMaps to MITREM1049
D3FEND

To detect potential exploitation of the privilege escalation flaws, particularly CVE-2025-59230 in RasMan, implement enhanced process monitoring on endpoints. Use an EDR solution or enable Windows command-line logging (Event ID 4688) and Sysmon. Create detection rules that alert on anomalous child processes spawned by svchost.exe instances that are hosting the RasMan service (-k netsvcs). An attacker exploiting this vulnerability would likely cause the RasMan service to spawn a shell (e.g., cmd.exe, powershell.exe) with SYSTEM privileges. Baselining normal behavior for this service is key. Any deviation, such as unexpected process creation or network connections, should be treated as a high-priority alert for immediate investigation.

User Account Permissions

D3-UAPMaps to MITREM1015
D3FEND

Enforce the principle of least privilege across all workstations as a compensating control. Since CVE-2025-24990 and CVE-2025-59230 are privilege escalation flaws, their impact is significantly reduced if the initial compromise occurs under a standard, non-administrative user account. Ensure that day-to-day user accounts do not have local administrator rights. Use solutions like Local Administrator Password Solution (LAPS) to randomize local admin passwords on domain-joined computers. This strategy forces an attacker to use an exploit to gain administrative rights, which is a noisy activity that is more likely to be detected by EDR and SIEM solutions. While not a replacement for patching, it contains the blast radius of an initial compromise and makes the attacker's job harder.

Sources & References(when first published)

Two New Windows Zero-Days Exploited in the Wild — One Affects Every Version Ever Shipped
The Hacker News (thehackernews.com) October 15, 2025
Microsoft and Adobe Patch Tuesday, October 2025 Security Update Review
Qualys (qualys.com) October 16, 2025
Microsoft Patch Tuesday – October 2025
Lansweeper (lansweeper.com) October 14, 2025
Microsoft Patch Tuesday October 2025: 4 Zero-Days and 172 Vulnerabilities Fixed
BleepingComputer (bleepingcomputer.com) October 15, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Patch TuesdayMicrosoftZero-DayVulnerabilityCVE-2025-24990CVE-2025-59230CVE-2025-47827Privilege EscalationKEVCISA

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next