Microsoft October 2025 Patch Tuesday

226/2025

Critical

October 15, 2025

1:50 pm

Microsoft has released its monthly patch of security updates, known as Patch Tuesday. The mentioned patch addressed six zero-day vulnerabilities.

Microsoft has fixed (175) vulnerabilities, with (5) classified as critical, as they could allow the attacker to gain elevated privileges, perform denial of service attacks, obtain sensitive information, bypass security restrictions, or execute arbitrary code and gain access to the affected systems.

October’s Patch Tuesday was released to fix security flaws in several Microsoft products, such as Microsoft Excel, Microsoft Office, Virtual Secure Mode, Windows Hello, Windows NTLM, Windows Bluetooth Service, Windows Hyper-V, Windows DWM, Redis Enterprise, Microsoft PowerShell, Microsoft Edge (Chromium-based), Windows SMB Client, Microsoft Defender for Linux, Windows Local Session Manager (LSM), and Windows NTFS.

The exploited zero-day vulnerabilities in October’s Patch are:

Windows Agere Modem Driver Elevation of Privilege Vulnerability “CVE-2025- 24990” allows the attacker to gain administrative privileges.
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability “CVE-2025-59230” allows the attacker to gain SYSTEM privileges.
MITRE Secure Boot bypass in IGEL OS before 11 Vulnerability “CVE-2025- 47827” allows the attacker to bypass security restrictions.

The publicly disclosed vulnerabilities in October’s Patch are:

AMD RMP Corruption During SNP Initialization Vulnerability “CVE-2025-0033” allows the attacker to modify RMP entries before they are locked, potentially impacting the integrity of SEV-SNP guest memory.
Windows Agere Modem Driver Elevation of Privilege Vulnerability “CVE-2025- 24052” allows the attacker to gain administrative privileges.
Cert CC Out-of-Bounds read Vulnerability “CVE-2025-2884” allows the attacker to disclose information or cause denial of service of the TPM.

Sample of the addressed vulnerabilities:

1. ASP.NET Security Feature Bypass Vulnerability (CVE-2025-55315):

CVSS: 9.9
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Consequences: Bypass Security

2. Microsoft Graphics Component Elevation of Privilege Vulnerability (CVE- 2025-49708):

CVSS: 9.9
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Consequences: Gain Privilege

Vulnerabilities

Microsoft MSRC

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Microsoft MSRC

References

Microsoft MSRC

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.