Microsoft Patch Tuesday, October 2025 Security Update Review

Diksha Ojha
Diksha Ojha, Technical Content Developer, Qualys
- 10 min read

Table of Contents

As cybersecurity threats evolve, Microsoft’s October 2025 Patch Tuesday delivers one of the most comprehensive security updates of the year. Here’s a quick breakdown of what you need to know.

Microsoft Patch Tuesday for October 2025

This month’s release addresses a staggering 193 vulnerabilities, including nine critical and 123 important-severity vulnerabilities.

In this month’s updates, Microsoft has addressed six zero-day vulnerabilities. Four of them are being publicly exploited, and two are publicly disclosed.

Microsoft has addressed 14 vulnerabilities in Microsoft Edge (Chromium-based) in this month’s updates.

This Patch Tuesday edition marks the end of an era, with the Windows 10 reaching the end of its support lifecycle. Microsoft has released the Windows 10 KB5066791 cumulative update, the final cumulative update for the operating system.

Microsoft Patch Tuesday, October edition, includes updates for vulnerabilities in Windows NTFS, Windows Cloud Files Mini Filter Driver, Windows NTLM, Windows Remote Desktop Protocol, Windows Remote Desktop Services, Windows Local Session Manager (LSM), and more.

From elevation of privilege flaws to remote code execution risks, this month’s patches are essential for organizations aiming to maintain a robust security posture.

The October 2025 Microsoft vulnerabilities are classified as follows:

Vulnerability CategoryQuantitySeverities
Spoofing Vulnerability10Important: 10
Security Feature Bypass11Important: 11
Denial of Service Vulnerability11Important: 11
Elevation of Privilege Vulnerability81Critical: 3
Important: 78
Information Disclosure Vulnerability28 Important: 28
Remote Code Execution Vulnerability31Critical: 5
Important: 26

Zero-day Vulnerabilities Patched in October Patch Tuesday Edition

CVE-2025-24990: Windows Agere Modem Driver Elevation of Privilege Vulnerability 

The Windows Agere Modem Driver is a software component that allows a computer to communicate with an Agere (or LSI) modem, often a dial-up or fax modem integrated into older computers. 

The vulnerability exists in the third-party Agere Modem driver that ships natively with supported Windows operating systems. The driver has been removed in the October cumulative update. Successful exploitation of the vulnerability may allow an attacker to gain administrator privileges. 

CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, urging users to patch it before November 4, 2025. 

CVE-2025-59230: Windows Remote Access Connection Manager Elevation of Privilege Vulnerability

Windows Remote Access Connection Manager (RASMan) is a core Windows service that manages dial-up and Virtual Private Network (VPN) connections, allowing your computer to connect to remote networks securely.

An improper access control flaw in Windows Remote Access Connection Manager may allow an authenticated attacker to elevate privileges locally. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges.

CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, urging users to patch it before November 4, 2025.

CVE-2025-24052: Windows Agere Modem Driver Elevation of Privilege Vulnerability

The vulnerability exists in the third-party Agere Modem driver that ships natively with supported Windows operating systems. The driver has been removed in the October cumulative update. Successful exploitation of the vulnerability may allow an attacker to gain administrator privileges.

CVE-2025-2884: Cert CC: CVE-2025-2884 Out-of-Bounds read vulnerability in TCG TPM2.0 reference implementation

Microsoft mentioned in the advisory that “CVE-2025-2884 is regarding a vulnerability in the CG TPM2.0 Reference implementation’s CryptHmacSign helper function that is vulnerable to Out-of-Bounds read due to the lack of validation of the signature scheme with the signature key’s algorithm.

CERT/CC created this CVE on their behalf. The documented Windows updates incorporate CG TPM2.0 Reference implementation updates, which address this vulnerability.”

CVE-2025-47827: MITRE CVE-2025-47827: Secure Boot bypass in IGEL OS before 11

Microsoft describes, “In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature. A crafted root filesystem can be mounted from an unverified SquashFS image.”

CVE-2025-0033: AMD CVE-2025-0033: RMP Corruption During SNP Initialization

The vulnerability exists in AMD EPYC processors using Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP). It involves a race condition during Reverse Map Table (RMP) initialization that could allow a malicious or compromised hypervisor to modify RMP entries before they are locked, potentially impacting the integrity of SEV-SNP guest memory. This vulnerability does not expose plaintext data or secrets and requires privileged control of the hypervisor to exploit.

Critical Severity Vulnerabilities Patched in October Patch Tuesday Edition 

CVE-2025-59234: Microsoft Office Remote Code Execution Vulnerability

A use-after-free flaw in Microsoft Office could allow an unauthenticated attacker to execute code locally. An attacker must send the user a malicious file and convince the user to open it.

CVE-2025-49708: Windows Graphics Component Remote Code Execution Vulnerability

A use-after-free flaw in Microsoft Graphics Component could allow an authenticated attacker to execute code over a network. Upon successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges.

CVE-2025-59291: Confidential Azure Container Instances Elevation of Privilege Vulnerability

External control of file name or path in Azure Compute Gallery could allow an authenticated attacker to elevate privileges locally. An attacker could trick the system into mounting a malicious file share to a sensitive location, leading to remote code execution.

CVE-2025-59292: Azure Compute Gallery Elevation of Privilege Vulnerability

Azure Compute Gallery is a service for centrally creating, managing, and sharing custom Virtual Machine (VM) images and other compute resources within and across organizations.

External control of the file name or path in Azure Compute Gallery could allow an authenticated attacker to elevate privileges locally. An attacker could trick the system into mounting a malicious file share to a sensitive location, leading to remote code execution.

CVE-2025-59227: Microsoft Office Remote Code Execution Vulnerability

A use-after-free flaw in Microsoft Office could allow an unauthenticated attacker to execute code locally.

CVE-2025-59287: Windows Server Update Service (WSUS) Remote Code Execution Vulnerability

Windows Server Update Service (WSUS) is a feature of Windows Server that allows IT administrators to manage the download and distribution of Microsoft product updates to computers on a local network.

An unauthenticated attacker can execute code over a network by deserializing untrusted data in the Windows Server Update Service. A remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism, resulting in remote code execution.

CVE-2016-9535: MITRE CVE-2016-9535: LibTIFF Heap Buffer Overflow Vulnerability

tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile sizes like YCbCr with subsampling. Reported as MSVR 35105, aka “Predictor heap-buffer-overflow.

CVE-2025-59236: Microsoft Excel Remote Code Execution Vulnerability

A use-after-free flaw in Microsoft Office could allow an unauthenticated attacker to execute code locally.

CVE-2025-59246: Azure Entra ID Elevation of Privilege Vulnerability

Successful exploitation of the vulnerability may allow an attacker to elevate privileges.

Other Microsoft Vulnerability Highlights

  • CVE-2025-48004 is an elevation of privilege vulnerability in the Microsoft Brokering File System. An attacker must win a race condition to exploit the vulnerability. Upon successful exploitation, an attacker could gain SYSTEM privileges.
  • CVE-2025-55676 is an information disclosure vulnerability in the Windows USB Video Class System Driver. Successful exploitation of the vulnerability could allow the disclosure of certain memory addresses within kernel space.
  • CVE-2025-55681 is an elevation of privilege vulnerability in Desktop Windows Manager. An out-of-bounds read flaw may allow an attacker to gain SYSTEM privileges.
  • CVE-2025-58722 is an elevation of privilege vulnerability in Microsoft DWM Core Library. A heap-based buffer overflow in Windows DWM may allow an attacker to gain SYSTEM privileges.
  • CVE-2025-59199 is an elevation of privilege vulnerability in the Software Protection Platform (SPP). The improper access control flaw may allow an unauthenticated attacker to elevate privileges locally.
  • CVE-2025-55680 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. Upon successful exploitation, an attacker could gain SYSTEM privileges.
  • CVE-2025-55692 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An attacker who successfully exploited this vulnerability could gain administrator privileges.
  • CVE-2025-55693 is an elevation of privilege vulnerability in the Windows Kernel. An attacker must win a race condition to exploit the vulnerability. An attacker who successfully exploits the vulnerability could crash the system by exploiting the use-after-free vulnerability, even as a standard user.
  • CVE-2025-55694 is an elevation of privilege vulnerability in the Windows Error Reporting Service. An attacker who exploits this vulnerability could gain administrator privileges.
  • CVE-2025-59194 is an elevation of privilege vulnerability in the Windows Kernel. An attacker must win a race condition to exploit the vulnerability. Successful exploitation of the vulnerability may allow an authenticated attacker to elevate privileges locally.
  • CVE-2025-59502 is a denial-of-service vulnerability in the Remote Procedure Call. An uncontrolled resource consumption flaw could allow an unauthenticated attacker to deny service over a network.

Microsoft Release Summary

This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Agere Windows Modem Driver, Microsoft PowerShell, Windows Failover Cluster, Azure Connected Machine Agent, Microsoft Brokering File System, Virtual Secure Mode, Microsoft Graphics Component, Windows Kernel, Windows Device Association Broker service, Windows Digital Media, Windows Hello, Windows Virtualization-Based Security (VBS) Enclave, Xbox, Microsoft Exchange Server, Visual Studio, .NET, .NET, .NET Framework, Visual Studio, ASP.NET Core, Microsoft Configuration Manager, Azure Monitor, Windows Storage Management Provider, Connected Devices Platform Service (Cdpsvc), Windows Hyper-V, Windows BitLocker, Windows PrintWorkflowUserSvc, Windows NDIS, Windows USB Video Driver, Windows DirectX, Windows DWM, Windows Resilient File System (ReFS), Windows Error Reporting, Windows WLAN Auto Config Service, NtQueryInformation Token function (ntifs.h), Azure Local, Windows Routing and Remote Access Service (RRAS), Microsoft Windows, Windows Ancillary Function Driver for WinSock, Microsoft Windows Speech, Remote Desktop Client, Windows Cryptographic Services, Windows COM, Windows SMB Server, Windows Connected Devices Platform Service, Windows Bluetooth Service, Inbox COM Objects, Windows Remote Desktop, Windows File Explorer, Windows High Availability Services, Windows Core Shell, Microsoft Windows Search Component, Storport.sys Driver, Windows Management Services, Windows SSDP Service, Windows ETL Channel, Software Protection Platform (SPP), Data Sharing Service Client, Network Connection Status Indicator (NCSI), Windows StateRepository API, Windows Resilient File System (ReFS) Deduplication Service, Windows MapUrlToZone, Windows Push Notification Core, Azure Entra ID, Microsoft Office Word, Microsoft Office Excel, Microsoft Office Visio, Microsoft Office, Microsoft Office SharePoint, Windows Remote Access Connection Manager, Microsoft Office PowerPoint, Windows Health and Optimized Experiences Service, Azure PlayFab, JDBC Driver for SQL Server, Copilot, Windows DWM Core Library, Active Directory Federation Services, Microsoft Failover Cluster Virtual Driver, Redis Enterprise, Windows Authentication Methods, Windows SMB Client, XBox Gaming Services, Azure Monitor Agent, Windows Server Update Service, GitHub, Confidential Azure Container Instances, Windows Taskbar Live, Internet Explorer, Microsoft Defender for Linux, Windows Remote Procedure Call, AMD Restricted Memory Page, Microsoft Edge (Chromium-based), TCG TPM2.0, Windows Secure Boot, Microsoft Windows Codecs Library, and Games. 

The next Patch Tuesday falls on November 11, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Qualys Monthly Webinar Series

The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.

During the webcast, we will discuss this month’s high-impact vulnerabilities, including those that are a part of this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.

Join the webinar

This Month in Vulnerabilities & Patches

Register Now
Share your Comments

Comments

Your email address will not be published. Required fields are marked *