Spooky season is in full swing, and this extends to Microsoft’s October Patch Tuesday with security updates for a frightful 175 Microsoft vulnerabilities, plus an additional 21 non-Microsoft CVEs. And even scarier than the sheer number of bugs: three are listed as under attack, with three others publicly known, and 17 deemed critical security holes.
Let’s start with the flaws that attackers already found and exploited before Redmond pushed patches.
- CVE-2025-24990 is a 7.8-rated elevation of privilege bug in the third party Agere Modem driver that ships natively with supported Windows operating systems and can be abused to gain administrator privileges. Microsoft warns that all supported versions of Windows can be affected, so this could turn out to be a widespread attack. The driver has been removed in the October security update, so install this update ASAP.
- CVE-2025-59230 is another 7.8-rated elevation of privilege flaw in Windows Remote Access Connection Manager. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Redmond warns. Plus, as Zero Day Initiative’s Dustin Childs points out: “These types of bugs are often paired with a code execution bug to completely take over a system.” So this is another one to patch quickly.
- CVE-2025-47827, a 4.6-rated Secure Boot bypass flaw, has also been found and abused by miscreants. It exists in Linux-based IGEL OS before 11 because the igel-flash-driver module improperly verifies a cryptographic signature. And since it already allowed an attacker to bypass Secure Boot on IGEL OS systems, this is also a high-priority fix.
Publicly known, but not under attack…yet
Three other bugs are listed as publicly known, which means that attackers are likely already scanning for vulnerable software. These include:
- CVE-2025-0033, a critical vulnerability in AMD EPYC processors using Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP), and there’s not a patch for this one – yet. Microsoft says updates to fix this flaw in Azure Confidential Computing’s (ACC) AMD-based clusters are under development, but not yet complete. Exploiting this hole requires an attacker to win a race condition during Reverse Map Table (RMP) initialization, which could then allow malicious or compromised hypervisor to modify RMP entries before they are locked, thus corrupting the SEV-SNP guest memory. The silver lining, according to Redmond: “This issue does not expose plaintext data or secrets and requires privileged control of the hypervisor to exploit.”
- CVE-2025-24052 is yet another 7.8-rated elevation of privilege bug in the Agere Modem driver that ships natively with supported Windows operating systems. Microsoft warns it has been made public – but not yet exploited. We’d bet it will be soon.
- CVE-2025-2884, listed as publicly known, is an out-of-bounds read vuln in TCG TPM2.0 reference implementation’s CryptHmacSign helper function that can be abused to steal secrets.
- Oracle rushes out another emergency E-Business Suite patch as Clop fallout widens
- Android ‘Pixnapping’ attack can capture app data like 2FA codes
- What do we want? Windows 10 support! When do we want it? Until 2030!
- Microsoft warns of ‘payroll pirate’ crew looting US university salaries
In addition to the critical bug in some AMD EPYC processors, the other 16 critical-severity flaws in this month’s Patch Tuesday can lead to elevation of privileges, spoofing, and remote code execution (RCE) with one of these garnering a nearly perfect, 9.8 CVSS severity score.
It’s tracked as CVE-2025-59287, it exists in the Windows Server Update Services (WSUS), and allows a remote, unauthenticated attacker to send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism that results in RCE. ZDI’s Childs says he suspects this bug will be targeted for attack soon.
“That means this is wormable between affected WSUS servers,” Childs noted. “Since WSUS remains a critical piece of anyone’s infrastructure, it’s an attractive target for those looking to do harm. If you use WSUS, don’t hesitate to test and deploy this update quickly.”
Adobe, SAP, Ivanti join the patch party
Also on October Patch Tuesday, Adobe released 12 updates to fix 36 vulnerabilities in its products, none of which are listed as being exploited or publicly known. All five CVEs addressed in Adobe’s Substance 3D Stager update are deemed critical as they allow arbitrary code execution, while the patch for Dimension fixes four critical code execution vulnerabilities. Two critical bugs in Illustrator and FrameMaker can also lead to code execution.
Meanwhile, updates for Adobe’s other products – Commerce, Connect, Animate, Substance 3D Viewer, Experience Manager Screens, Substance 3D Modeler, Creative Cloud, and Bridge – fix a range of critical, important, and moderate flaws.
SAP today released 13 new security notes and four updates to previously released security notes. Four of these are rated critical, including a fix for maximum severity OS command execution flaw in Netweaver and an update to a September patch to fix another perfect-10-severity OS command execution bug in Netweaver.
Ivanti has joined the second-Tuesday patchapalooza with advisories for Endpoint Manager Mobile (four CVEs) and Neurons for MDM (three CVEs). None of these have been abused as of now, so make sure to apply the updates to avoid being victim zero. ®
