With Halloween quickly approaching, Microsoft have really the fear factor into this month's Patch Tuesday release, releasing updates for 172 vulnerabilities, which includes 6 publicly disclosed zero days. This is over double the size of recent patches. In this blog we cover the most important patches that have been released, and how you can take action.
Pssst, as a reminder... did you know that you can now set up AutoFix rules for Windows Updates with RoboShadow's Cyber Heal function?
You can find a full list of security updates for October here.
Vulnerability Types Released in October 2025:
CVE-2025-24990 – Windows Agere Modem Driver Elevation of Privilege
CVSS Score: 7.8 (High)
Description: A flaw in the legacy Agere modem driver (ltmdm64.sys) included with Windows allows attackers to elevate privileges to SYSTEM. The issue arises from unsafe memory operations in the driver. Microsoft has removed the vulnerable component in the October 2025 cumulative update.
Exploitation Status: Actively exploited in the wild and included in CISA’s Known Exploited Vulnerabilities catalog
CVE-2025-59230 – Remote Access Connection Manager Elevation of Privilege
CVSS Score: 7.8 (High)
Description: A vulnerability in the Windows Remote Access Connection Manager (RASMan) service caused by improper access control could allow a local attacker to gain SYSTEM privileges. The flaw can be chained with other local exploits for complete compromise.
Exploitation Status: Actively exploited; confirmed by Microsoft and security researchers.
CVE-2025-47827 – IGEL OS Secure Boot Bypass
CVSS Score: 4.6 (Medium)
Description: A Secure Boot bypass flaw in IGEL OS due to improper signature verification in the system image loader. Attackers could load unsigned or tampered images to bypass Secure Boot integrity. Microsoft has added affected certificates to the revocation database (DBX).
Exploitation Status: Observed exploited in the wild.
CVE-2025-24052 – Agere Modem Driver Elevation of Privilege
CVSS Score: 7.8 (High)
Description: Another vulnerability in the same Agere modem driver allowing local privilege escalation. This issue was publicly disclosed prior to patch availability but no active exploitation has been observed.
Exploitation Status: Publicly disclosed; no confirmed exploitation.
CVE-2025-0033 – AMD SEV-SNP / Hypervisor RMP Corruption
CVSS Score: Estimated 7.5 (High)
Description: A race condition during Reverse Map Table (RMP) initialization in AMD Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP). A compromised or malicious hypervisor could manipulate RMP entries before they are locked, potentially compromising guest VMs.
Exploitation Status: Publicly disclosed; no known active exploits.
CVE-2025-2884 – TPM 2.0 Out-of-Bounds Read
CVSS Score: Estimated 6.5 (Medium)
Description: An out-of-bounds read vulnerability in the Trusted Platform Module (TPM) 2.0 reference implementation caused by insufficient validation in the CryptHmacSign function. Exploitation could lead to information disclosure from the TPM process memory.
Exploitation Status: Publicly disclosed; no active exploitation reported.
Here are some of the critical CVEs that have been remediated this month, and should be patched as soon as possible:
| CVE ID | CVSS | Description Summary |
|---|---|---|
| CVE-2025-49708 | 9.9 | Microsoft Graphics Component Elevation of Privilege Vulnerability. |
| CVE-2016-9535 | 9.8 | Microsoft Graphics Component: LibTIFF Heap Buffer Overflow Vulnerability. |
| CVE-2025-59246 | 9.8 | Azure Entra ID Elevation of Privilege Vulnerability. |
| CVE-2025-59287 | 9.8 | Windows Server Update Service (WSUS) Remote Code Execution Vulnerability. |
| CVE-2025-59218 | 9.6 | Azure Entra ID Elevation of Privilege Vulnerability. |
| CVE-2025-59247 | 8.8 | Azure PlayFab Elevation of Privilege Vulnerability. |
| CVE-2025-55321 | 8.7 | Azure Monitor Log Analytics Spoofing (XSS) Vulnerability. |
| CVE-2025-59271 | 8.7 | Redis Enterprise Elevation of Privilege Vulnerability. |
| CVE-2025-59236 | 8.4 | Microsoft Excel Remote Code Execution Vulnerability. |
| CVE-2025-0033 | 8.2 | AMD RMP Corruption During SNP Initialization (SEV-SNP / “RMPocalypse”). |
| CVE-2025-59291 | 8.2 | Confidential Azure Container Instances Elevation of Privilege Vulnerability. |
| CVE-2025-59292 | 8.2 | Azure Compute Gallery Elevation of Privilege Vulnerability (Confidential Azure Container Instances). |
| CVE-2025-59227 | 7.8 | Microsoft Office Remote Code Execution Vulnerability. |
| CVE-2025-59234 | 7.8 | Microsoft Office Remote Code Execution Vulnerability. |
| CVE-2025-59272 | 6.5 | Copilot Spoofing Vulnerability. |
| CVE-2025-59252 | 6.5 | M365 Copilot Spoofing Vulnerability. |
| CVE-2025-59286 | 6.5 | Copilot Spoofing Vulnerability. |
With this month’s Patch Tuesday crammed full of high-severity and actively exploited vulnerabilities, now’s the time to get proactive before the ghosts of unpatched systems come back to haunt you 👻
Start by patching the six publicly disclosed zero-day vulnerabilities, especially those that are actively exploited (like CVE-2025-24990 and CVE-2025-59230). These should be treated as top priority across all affected Windows systems.
The 23 critical CVEs released this month cover everything from Azure Entra ID and Copilot to Microsoft Office and Redis Enterprise. Don’t delay, critical privilege escalations and RCE flaws can give attackers a foothold fast.
Before mass deployment, test your updates in a controlled environment, particularly on systems running Azure-integrated services, virtualisation hosts, and Mariner-based components, to avoid unexpected service interruptions.
If you’re managing multiple devices or clients, automation is your best defence.
Use RoboShadow’s Cyber Heal AutoFix to automatically push Windows updates and reduce manual patch lag. Once configured, you can track compliance and remediation progress in real-time.
After patching, verify that vulnerable versions are fully replaced and check for any residual exposure in legacy components (e.g., Agere modem drivers or deprecated services).
Running a vulnerability scan post-update ensures nothing was missed.
Final Thought:
Final thought: Proactive patching is part of everyday cyber hygiene. Set up what you can to run automatically, check in often, and you’ll reduce the chances of known flaws becoming real problems.
If you have any questions about Patch Tuesday, or feedback on this blog please
reach out to us: hello@roboshadow.com
Thanks for reading!