Microsoft has addressed 172 vulnerabilities in its October 2025 security update release, marking the highest number of vulnerabilities patched in a single month this year. This month’s patches address two publicly disclosed vulnerabilities, three zero-day vulnerabilities, and eight Critical vulnerabilities, along with 159 additional vulnerabilities of varying severity levels.
October 2025 Risk Analysis
This month’s leading risk types by exploitation technique are elevation of privilege with 80 patches (47%), remote code execution (RCE) with 31 patches (18%), and information disclosure with 28 patches (16%).
Microsoft Windows received the most patches this month with 134, followed by Microsoft Office with 18 and Azure with 6.
Windows 10 End of Support Is Here
As announced previously, Windows 10 officially reaches end of life on October 14, 2025. According to Microsoft, in order to qualify for Extended Security Updates for Windows 10, the affected host must be upgraded to the 22H2 release. This means regular Windows 10 hosts will no longer receive regular security updates after this date. As of October 14, 2025, non 22H2 Windows 10 hosts will be identified in the CrowdStrike Falcon® Exposure Management Vulnerability Management pane with an unsupported software vulnerability. More information can be found via the following link: https://www.microsoft.com/en-us/windows/extended-security-updates
Publicly Disclosed Vulnerability in Windows Agere Modem Driver
CVE-2025-24052 is an Important elevation of privilege vulnerability affecting Windows Agere Modem Driver and has a CVSS score of 7.8. This vulnerability allows authenticated local attackers with low privileges to elevate privileges to administrator level by exploiting a stack-based buffer overflow weakness in the third-party Agere Modem driver (ltmdm64.sys), which ships natively with supported Windows operating systems.
The vulnerability had been publicly disclosed. There is no evidence of active exploitation in the wild, though exploitation is considered more likely with proof-of-concept code available. This vulnerability affects all supported versions of Windows systems with the Agere Modem driver and requires local access to exploit with low attack complexity, requiring low privileges but no user interaction.
When successfully exploited, attackers can gain administrator privileges, potentially allowing them to completely compromise the confidentiality, integrity, and availability of affected Windows systems. Notably, this vulnerability can be exploited even if the modem is not actively being used. Microsoft has removed the ltmdm64.sys driver in the October cumulative update, which will cause fax modem hardware dependent on this driver to no longer work on Windows.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-24052 | Windows Agere Modem Driver Elevation of Privilege Vulnerability |
Publicly Disclosed Vulnerability in TCG TPM2.0 Reference Implementation
CVE-2025-2884 is an Important information disclosure vulnerability affecting TCG TPM2.0 reference implementation and has a CVSS score of 5.3. This vulnerability allows authenticated local attackers with low privileges to disclose sensitive information by exploiting an out-of-bounds read weakness in the CryptHmacSign helper function due to lack of validation of the signature scheme with the signature key’s algorithm.
The vulnerability had been publicly disclosed. There is no evidence of active exploitation in the wild, though exploitation is considered less likely. The vulnerability affects systems using the TCG TPM2.0 reference implementation and requires local access to exploit with high attack complexity, requiring low privileges but no user interaction.
When successfully exploited, attackers can achieve high confidentiality impact through information disclosure and low availability impact on affected systems, but cannot compromise system integrity. The documented Windows updates incorporate updates in the TCG TPM2.0 reference implementation that address this vulnerability.
| Severity | CVSS Score | CVE | Description |
| Important | 5.3 | CVE-2025-2884 | Out-of-Bounds Read Vulnerability in TCG TPM2.0 Reference Implementation |
Zero-Day Vulnerability in Windows Remote Access Connection Manager
CVE-2025-59230 is an Important elevation of privilege vulnerability affecting Windows Remote Access Connection Manager and has a CVSS score of 7.8. This vulnerability allows authenticated local attackers with low privileges to elevate their privileges to SYSTEM level by exploiting an improper access control weakness in Windows Remote Access Connection Manager and gaining local access to the system.
In October 2025, CrowdStrike identified a local privilege escalation binary exploiting a zero-day (at the time) vulnerability. Microsoft has since disclosed, patched, and acknowledged that this vulnerability — now tracked as CVE-2025-59230 — has been exploited in the wild. CrowdStrike Counter Adversary Operations assesses at least one threat actor has likely leveraged or plans to leverage the recently disclosed CVE-2025-59230 in the near term. While this activity is not currently attributed to a tracked adversary or aligned with a specific operational motivation, additional research revealed this activity was likely conducted by an eCrime group.
The vulnerability affects Windows systems with Remote Access Connection Manager and requires local access to exploit with low attack complexity, requiring low privileges but no user interaction. When successfully exploited, attackers can gain SYSTEM privileges, potentially allowing them to completely compromise the confidentiality, integrity, and availability of affected Windows systems.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-59230 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability |
Zero-Day Vulnerability in Windows Agere Modem Driver
CVE-2025-24990 is an Important elevation of privilege vulnerability affecting Windows Agere Modem Driver and has a CVSS score of 7.8. This vulnerability allows authenticated local attackers with low privileges to elevate their privileges to administrator level by exploiting an untrusted pointer dereference weakness in the third-party Agere Modem driver (ltmdm64.sys) that ships natively with supported Windows operating systems.
There is evidence of active exploitation in the wild with functional exploit code available, and exploitation has been detected. The vulnerability affects all supported versions of Windows systems with the Agere Modem Driver and requires local access to exploit with low attack complexity, requiring low privileges but no user interaction. When successfully exploited, attackers can gain administrator privileges, potentially allowing them to completely compromise the affected Windows systems. Notably, this vulnerability can be exploited even if the modem is not actively being used, and Microsoft has removed the ltmdm64.sys driver in the October cumulative update, which will cause fax modem hardware dependent on this driver to no longer work on Windows.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-24990 | Windows Agere Modem Driver Elevation of Privilege Vulnerability |
Zero-Day Vulnerability in Secure Boot in IGEL OS before Version 11
CVE-2025-47827 is an Important security feature bypass vulnerability affecting versions of IGEL OS before version 11 and has a CVSS score of 4.6. This vulnerability allows unauthenticated physical attackers to bypass Secure Boot by exploiting the use of a key past its expiration date weakness in the igel-flash-driver module, which improperly verifies cryptographic signatures and allows mounting of a crafted root filesystem from an unverified SquashFS image.
There is evidence of active exploitation in the wild with functional exploit code available. The vulnerability requires physical access to exploit with low attack complexity, requiring no privileges or user interaction. When successfully exploited, attackers can bypass Secure Boot security features, potentially causing high availability, integrity, and confidentiality impact on affected systems.
| Severity | CVSS Score | CVE | Description |
| Important | 4.6 | CVE-2025-47827 | Secure Boot Bypass in IGEL OS Before Version 11 |
Critical Vulnerability in Microsoft Graphics Component
CVE-2025-49708 is a Critical elevation of privilege vulnerability affecting Microsoft Graphics Component and has a CVSS score of 9.9. This vulnerability allows authenticated remote attackers with low privileges to elevate their privileges to SYSTEM level by exploiting a use after free weakness in Microsoft Graphics Component over a network connection.
The vulnerability has not been publicly disclosed, and there is no evidence of active exploitation in the wild, though exploitation is considered less likely. The vulnerability affects Windows systems utilizing Microsoft Graphics Component and can be exploited remotely from the internet with low attack complexity, requiring no user interaction.
When successfully exploited, attackers can gain SYSTEM privileges by accessing a local guest virtual machine (VM) to attack the host OS, potentially allowing them to completely compromise the confidentiality, integrity, and availability of affected Windows systems and impact other VMs running on the same host due to the changed scope nature of this vulnerability.
| Severity | CVSS Score | CVE | Description |
| Critical | 9.9 | CVE-2025-49708 | Microsoft Graphics Component Elevation of Privilege Vulnerability |
Critical Vulnerability in Windows Server Update Service
CVE-2025-59287 is a Critical remote code execution vulnerability affecting Windows Server Update Service (WSUS) and has a CVSS score of 9.8. This vulnerability allows unauthenticated remote attackers to execute arbitrary code by exploiting unsafe deserialization of untrusted data in WSUS over a network connection.
The vulnerability has not been publicly disclosed, and there is no evidence of active exploitation in the wild, though exploitation is considered more likely. The vulnerability affects Windows systems running WSUS and can be exploited remotely from the internet with low attack complexity, requiring no privileges or user interaction.
When successfully exploited, attackers can achieve remote code execution by sending a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism, potentially allowing them to completely compromise the confidentiality, integrity, and availability of affected WSUS systems.
| Severity | CVSS Score | CVE | Description |
| Critical | 9.8 | CVE-2025-59287 | Windows Server Update Service (WSUS) Remote Code Execution Vulnerability |
Critical Vulnerabilities in Microsoft Office
CVE-2025-59236 is a Critical remote code execution vulnerability affecting Microsoft Excel and has a CVSS score of 8.4. This vulnerability allows unauthenticated local attackers to execute arbitrary code by exploiting a use after free weakness in Microsoft Office Excel through local access to the system. When successfully exploited, attackers can achieve arbitrary code execution locally on the affected system.
CVE-2025-59234 is a Critical remote code execution vulnerability affecting Microsoft Office and has a CVSS score of 7.8. This vulnerability allows unauthenticated local attackers to execute arbitrary code by exploiting a use after free weakness in Microsoft Office through local access to the system with required user interaction.
CVE-2025-59227 is a Critical remote code execution vulnerability affecting Microsoft Office and has a CVSS score of 7.8. This vulnerability allows unauthenticated local attackers to execute arbitrary code by exploiting a use after free weakness through local access to the system with required user interaction.
The vulnerabilities have not been publicly disclosed, and there is no evidence of active exploitation in the wild. Exploitation requires local access with low attack complexity. No privileges are needed, but user interaction is required. Successful exploitation enables arbitrary code execution when a user opens a malicious file. The Preview Pane has been a common attack vector in similar vulnerabilities (April 2023, July 2023, December 2023, October 2024, January 2025, February 2025, April 2025, June 2025, September 2025).
| Severity | CVSS Score | CVE | Description |
| Critical | 8.4 | CVE-2025-59236 | Microsoft Excel Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2025-59234 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2025-59227 | Microsoft Office Remote Code Execution Vulnerability |
Critical Vulnerabilities in Microsoft Azure
CVE-2025-59291 is a Critical elevation of privilege vulnerability affecting Confidential Azure Container Instances and has a CVSS score of 8.2. This vulnerability allows authenticated local attackers with high privileges to elevate their privileges by exploiting external control of file name or path weakness in Confidential Azure Container Instances through local access to the system.
The vulnerability requires local access to exploit with low attack complexity, requiring high privileges but no user interaction. When successfully exploited, attackers can gain code execution within the confidential ACI sidecar container by tricking the system into mounting a malicious file share to a sensitive location, escalating from host control to confidential containers and potentially allowing them to completely compromise the affected systems.
CVE-2025-59292 is a Critical elevation of privilege vulnerability affecting Azure Compute Gallery and has a CVSS score of 8.2. This vulnerability allows authenticated local attackers with high privileges to elevate their privileges by exploiting external control of file name or path weakness in Azure Compute Gallery through local access to the system.
The vulnerability requires local access to exploit with low attack complexity, requiring high privileges but no user interaction. When successfully exploited, attackers can gain code execution within the confidential ACI sidecar container by tricking the system into mounting a malicious file share to a sensitive location, escalating from host control to confidential containers and potentially allowing them to completely compromise the affected systems.
Due to the changed scope nature of these vulnerabilities, a successful attack allows the container host to execute code in the targeted guest environment, expanding the impact beyond the initially compromised component. The vulnerabilities have not been publicly disclosed, and there is no evidence of active exploitation in the wild, though exploitation is considered less likely.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.2 | CVE-2025-59291 | Confidential Azure Container Instances Elevation of Privilege Vulnerability |
| Critical | 8.2 | CVE-2025-59292 | Azure Compute Gallery Elevation of Privilege Vulnerability |
Critical Vulnerability in LibTIFF
CVE-2016-9535 is a Critical remote code execution vulnerability affecting LibTIFF and has a CVSS score of 4.0. This vulnerability allows unauthenticated local attackers to cause denial of service or potentially execute arbitrary code by exploiting a heap buffer overflow weakness in LibTIFF’s tif_predict.h and tif_predict.c components when processing unusual tile sizes like YCbCr with subsampling.
The vulnerability has not been publicly disclosed, and there is no evidence of active exploitation in the wild, though exploitation is considered unlikely. The vulnerability affects systems using LibTIFF 4.0.6 and requires local access to exploit with low attack complexity, requiring no privileges or user interaction. When successfully exploited, attackers can cause assertion failures in debug mode or buffer overflows in release mode, potentially leading to low availability impact on affected systems. This vulnerability is also known as “Predictor heap-buffer-overflow” and was reported as MSVR 35105, with Windows updates incorporating LibTIFF updates that address this dependency on the vulnerable third-party component.
| Severity | CVSS Score | CVE | Description |
| Critical | 4.0 | CVE-2016-9535 | LibTIFF Remote Code Execution Vulnerability |
Patch Tuesday Dashboard in the Falcon Platform
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
About CVSS Scores
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
Additional Resources
- For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
- Learn how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments.
- Make prioritization painless and efficient. Watch how Falcon Exposure Management enables IT staff to improve visibility with custom filters and team dashboards.
- Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™.
