Microsoft rolled out its October 2025 Patch Tuesday updates, addressing a staggering 172 vulnerabilities across its ecosystem, including four zero-day flaws, of which two are actively exploited in the wild.
This monthly security bulletin underscores the relentless pace of threat evolution, with critical remote code execution bugs in Office apps and elevation of privilege issues in Windows components dominating the fixes.
As organizations grapple with end-of-support deadlines for legacy systems like Windows 10, timely patching remains essential to mitigate risks from state-sponsored actors and cybercriminals.
| Impact | Count |
|---|---|
| Elevation of Privilege | 80 |
| Remote Code Execution | 31 |
| Information Disclosure | 28 |
| Security Feature Bypass | 11 |
| Denial of Service | 11 |
| Spoofing | 10 |
| Tampering | 1 |
| Total | 172 |
The updates target a broad array of products, from core Windows operating systems to Azure cloud services and the Microsoft Office suite.
Among the highlights, Microsoft patched CVE-2025-59234 and CVE-2025-59236, both use-after-free vulnerabilities in Microsoft Office and Excel that enable remote code execution when users open malicious files.
These flaws, rated critical with CVSS scores around 7.8, require no authentication and could allow attackers to gain full system control, potentially leading to data theft or ransomware deployment.
Similarly, CVE-2025-49708 in the Microsoft Graphics Component exposes systems to privilege escalation over networks, exploiting memory corruption to bypass security boundaries.
Critical Vulnerabilities Patched
Several critical entries demand immediate attention due to their potential for widespread exploitation.
For instance, CVE-2025-59291 and CVE-2025-59292 involve external control of file paths in Azure Container Instances and Compute Gallery, allowing authorized attackers to escalate privileges locally and potentially compromise cloud workloads.
These elevation of privilege bugs, also critical, highlight ongoing risks in hybrid environments where misconfigurations amplify impact.
Another vulnerability is CVE-2016-9535, a long-standing LibTIFF heap buffer overflow re-addressed in this cycle, which could trigger remote code execution in image-processing scenarios, affecting legacy apps still in use.
The zero-days add urgency: CVE-2025-2884, an out-of-bounds read in TCG TPM2.0 reference implementation, stems from inadequate validation in cryptographic signing functions, leading to information disclosure. Publicly known via CERT/CC, it affects trusted platform modules integral to secure boot processes.
Meanwhile, CVE-2025-47827 enables Secure Boot bypass in IGEL OS versions before 11 through improper signature verification, allowing crafted root filesystems to mount unverified images as a vector for persistent malware.
CVE-2025-59230, another exploited flaw in Windows Remote Access Connection Manager, involves improper access controls for local privilege escalation.
Microsoft confirms no public exploits for most others, but the duo’s active abuse by threat actors, such as nation-state groups, necessitates rapid deployment.
Deserialization issues in Windows Server Update Service (CVE-2025-59287) further elevate concerns, permitting unauthenticated remote code execution over networks, a prime target for supply-chain attacks.
In total, the bulletin includes 11 critical remote code executions and elevations, with many tied to memory safety errors like use-after-free and buffer overflows prevalent in older codebases.
Azure-specific fixes, such as those in CVE-2025-59285 for the Monitor Agent, address deserialization risks that could expose monitoring data to tampering.
Other Important Vulnerabilities Patched
Beyond criticals, 150+ important vulnerabilities cover elevation of privilege (over 60), information disclosure (around 30), and denial-of-service flaws.
Repeated patterns emerge in Windows PrintWorkflowUserSvc (CVE-2025-55684 through 55691), where use-after-free bugs allow local attackers to gain higher privileges during print operations, a common vector in enterprise printing environments.
Windows Kernel vulnerabilities like CVE-2025-55693 and CVE-2025-59187 involve improper input validation, potentially leaking kernel memory, or enabling ring-0 access.
Spoofing risks appear in CVE-2025-59239 for File Explorer and CVE-2025-59248 for Exchange Server, where flawed validation could trick users into executing malicious actions or bypassing authentication.
BitLocker’s CVE-2025-55682 exposes a security feature bypass via physical attacks, underscoring hardware-software interplay vulnerabilities.
For cloud users, Azure Arc and Connected Machine Agent fixes (CVE-2025-58724) mitigate local escalations from access control lapses. Denial-of-service bugs, such as CVE-2025-55698 in DirectX and CVE-2025-58729 in Local Session Manager, could disrupt services through null dereferences or invalid inputs.
| CVE ID | Vulnerability Details | Type | Severity |
|---|---|---|---|
| CVE-2016-9535 | tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka “Predictor heap-buffer-overflow.” | Remote Code Execution | Critical |
| CVE-2025-2884 | CVE-2025-2884 is regarding a vulnerability in CG TPM2.0 Reference implementation’s CryptHmacSign helper function that is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key’s algorithm. | Information Disclosure | Important |
| CVE-2025-47827 | In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image. | Security Feature Bypass | Important |
| CVE-2025-49708 | Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges over a network. | Elevation of Privilege | Critical |
| CVE-2025-55680 | Time-of-check time-of-use (toctou) race condition in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55682 | Improper enforcement of behavioral workflow in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. | Security Feature Bypass | Important |
| CVE-2025-55683 | Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-55684 | Use-after-free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55688 | Use-after-free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55690 | Use-after-free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55691 | Use after free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55692 | Improper input validation in Windows Error Reporting allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55693 | Use after free in Windows Kernel allows an unauthorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55694 | Improper access control in Windows Error Reporting allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55695 | Out-of-bounds read in Windows WLAN Auto Config Service allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-55696 | Time-of-check time-of-use (toctou) race condition in NtQueryInformation Token function (ntifs.h) allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55697 | Heap-based buffer overflow in Azure Local allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55698 | Null pointer dereference in Windows DirectX allows an authorized attacker to deny service over a network. | Denial of Service | Important |
| CVE-2025-55699 | Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-58714 | Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-58718 | Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | Remote Code Execution | Important |
| CVE-2025-58720 | Use of a cryptographic primitive with a risky implementation in Windows Cryptographic Services allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-58724 | Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-58725 | Heap-based buffer overflow in Windows COM allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-58726 | Improper access control in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | Elevation of Privilege | Important |
| CVE-2025-58727 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-58729 | Improper validation of specified type of input in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network. | Denial of Service | Important |
| CVE-2025-58730 | Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-58731 | Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-58733 | Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-58734 | Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-58736 | Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-58737 | Use after free in Windows Remote Desktop allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-58738 | Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-58739 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network. | Spoofing | Important |
| CVE-2025-59184 | Exposure of sensitive information to an unauthorized actor in Windows High Availability Services allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-59187 | Improper input validation in Windows Kernel allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59188 | Exposure of sensitive information to an unauthorized actor in Windows Failover Cluster allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-59189 | Use after free in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59190 | Improper input validation in Microsoft Windows Search Component allows an unauthorized attacker to deny service locally. | Denial of Service | Important |
| CVE-2025-59191 | Heap-based buffer overflow in Connected Devices Platform Service (Cdpsvc) allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59192 | Buffer over-read in Storport.sys Driver allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59193 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Management Services allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59194 | Use of uninitialized resource in Windows Kernel allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59197 | Insertion of sensitive information into log file in Windows ETL Channel allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-59198 | Improper input validation in Microsoft Windows Search Component allows an authorized attacker to deny service locally. | Denial of Service | Important |
| CVE-2025-59203 | Insertion of sensitive information into log file in Windows StateRepository API allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-59205 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59208 | Out-of-bounds read in Windows MapUrlToZone allows an unauthorized attacker to disclose information over a network. | Information Disclosure | Important |
| CVE-2025-59209 | Exposure of sensitive information to an unauthorized actor in Windows Push Notification Core allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-59210 | Elevation of Privilege in Windows Resilient File System (ReFS) Deduplication Service. | Elevation of Privilege | Important |
| CVE-2025-59213 | Improper neutralization of special elements used in an sql command (‘sql injection’) in Microsoft Configuration Manager allows an unauthorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59214 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network. | Spoofing | Important |
| CVE-2025-59221 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-59222 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-59223 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-59224 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-59225 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-59226 | Use after free in Microsoft Office Visio allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-59227 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | Remote Code Execution | Critical |
| CVE-2025-59229 | Uncaught exception in Microsoft Office allows an unauthorized attacker to deny service locally. | Denial of Service | Important |
| CVE-2025-59230 | Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59232 | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-59234 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | Remote Code Execution | Critical |
| CVE-2025-59236 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | Remote Code Execution | Critical |
| CVE-2025-59238 | Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-59241 | Improper link resolution before file access (‘link following’) in Windows Health and Optimized Experiences Service allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59244 | External control of file name or path in Windows Core Shell allows an unauthorized attacker to perform spoofing over a network. | Spoofing | Important |
| CVE-2025-59248 | Improper input validation in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | Spoofing | Important |
| CVE-2025-59253 | Improper access control in Microsoft Windows Search Component allows an authorized attacker to deny service locally. | Denial of Service | Important |
| CVE-2025-59260 | Exposure of sensitive information to an unauthorized actor in Microsoft Failover Cluster Virtual Driver allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-59261 | Time-of-check time-of-use (toctou) race condition in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59275 | Improper validation of specified type of input in Windows Authentication Methods allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59278 | Improper validation of specified type of input in Windows Authentication Methods allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59285 | Deserialization of untrusted data in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59287 | Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network. | Remote Code Execution | Critical |
| CVE-2025-59288 | Improper verification of cryptographic signature in GitHub allows an unauthorized attacker to perform spoofing over an adjacent network. | Spoofing | Moderate |
| CVE-2025-59289 | Double free in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59291 | External control of file name or path in Confidential Azure Container Instances allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Critical |
| CVE-2025-59292 | External control of file name or path in Confidential Azure Container Instances allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Critical |
| CVE-2025-59497 | Time-of-check time-of-use (toctou) race condition in Microsoft Defender for Linux allows an authorized attacker to deny service locally. | Denial of Service | Important |
| CVE-2025-59502 | Uncontrolled resource consumption in Windows Remote Procedure Call allows an unauthorized attacker to deny service over a network. | Denial of Service | Moderate |
This Patch Tuesday coincides with Windows 10’s end-of-support on October 14, 2025, amplifying the stakes for unpatched legacy deployments.
Microsoft urges enabling automatic updates via Windows Update or WSUS, prioritizing criticals like Office RCEs first. For enterprises, vulnerability management tools can scan for affected versions, such as Office 2016-2021 or Windows 10/11 builds pre-KB503 something.
No proof-of-concept code is publicly available for most, but indicators of compromise include anomalous Office crashes or Azure log anomalies. Experts recommend segmenting networks and monitoring for exploitation attempts post-patch.
