October 2025 Patch Tuesday: 175+ CVEs and 6 Zero-Days Fixed
TL;DR
Microsoft and Adobe Patch Tuesday: October 2025 Security Updates
Microsoft's October 2025 Patch Tuesday addresses a significant number of vulnerabilities. This month’s release includes fixes for 193 vulnerabilities, with nine rated as critical and 123 as important. Microsoft's advisory provides a comprehensive list.
Image courtesy of BleepingComputer
Microsoft has addressed six zero-day vulnerabilities, four of which are being actively exploited, and two are publicly disclosed. This Patch Tuesday marks the end of support for Windows 10, with the KB5066791 cumulative update being the final one for the OS. Details on Extended Security Updates (ESU) are available for those needing continued support.
The updates cover vulnerabilities in various components, including Windows NTFS, Windows Cloud Files Mini Filter Driver, and Windows NTLM. Further affected areas include Windows Remote Desktop Protocol, Windows Remote Desktop Services, and Windows Local Session Manager (LSM).
Adobe Patches
Adobe has released 12 security advisories addressing 36 vulnerabilities across multiple products. Products affected include Adobe Connect, Adobe Commerce, and the Adobe Creative Cloud Desktop Application.
Other updated software includes Adobe Bridge, Adobe Animate, Adobe Experience Manager Screens, Substance 3D Viewer, and Substance 3D Modeler. Patches are also available for Adobe FrameMaker, Adobe Illustrator, Adobe Dimension, and Substance 3D Stager. 24 of these vulnerabilities are rated as critical, potentially leading to privilege escalation, security feature bypass, and arbitrary code execution.
Zero-Day Vulnerabilities
Microsoft addressed several zero-day vulnerabilities in this release.
- CVE-2025-24990: Windows Agere Modem Driver Elevation of Privilege Vulnerability: This vulnerability exists in the third-party Agere Modem driver, which has been removed in the October cumulative update. Successful exploitation could allow an attacker to gain administrator privileges. CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog.
- CVE-2025-59230: Windows Remote Access Connection Manager Elevation of Privilege Vulnerability: An improper access control flaw in Windows Remote Access Connection Manager (RASMan) could allow an authenticated attacker to elevate privileges locally, potentially gaining SYSTEM privileges. CISA also added this to their catalog. Windows Remote Access Connection Manager (RASMan) is a core Windows service that manages dial-up and Virtual Private Network (VPN) connections, allowing your computer to connect to remote networks securely.
- CVE-2025-24052: Windows Agere Modem Driver Elevation of Privilege Vulnerability: Similar to CVE-2025-24990, this vulnerability also exists in the Agere Modem driver, and its exploitation could lead to administrator privileges.
- CVE-2025-2884: Cert CC: CVE-2025-2884 Out-of-Bounds read vulnerability in TCG TPM2.0 reference implementation: This vulnerability in the CG TPM2.0 Reference implementation's CryptHmacSign helper function is due to the lack of validation of the signature scheme with the signature key’s algorithm. CERT/CC created this CVE.
- CVE-2025-47827: MITRE CVE-2025-47827: Secure Boot bypass in IGEL OS before 11: In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature. More information on Security Update Guide Supports CVEs Assigned by Industry Partners.
- CVE-2025-0033: AMD CVE-2025-0033: RMP Corruption During SNP Initialization: This vulnerability affects AMD EPYC processors using Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP). It involves a race condition during Reverse Map Table (RMP) initialization. AMD's bulletin provides further details.
Critical Severity Vulnerabilities
Several critical vulnerabilities were addressed in this update:
- CVE-2025-59234: Microsoft Office Remote Code Execution Vulnerability: A use-after-free flaw in Microsoft Office could allow an unauthenticated attacker to execute code locally. An attacker must send a malicious file and convince the user to open it.
- CVE-2025-49708: Windows Graphics Component Remote Code Execution Vulnerability: A use-after-free flaw in the Microsoft Graphics Component could allow an authenticated attacker to execute code over a network, potentially gaining SYSTEM privileges.
- CVE-2025-59291: Confidential Azure Container Instances Elevation of Privilege Vulnerability: External control of file name or path in Azure Compute Gallery could allow an authenticated attacker to elevate privileges locally, leading to remote code execution.
- CVE-2025-59292: Azure Compute Gallery Elevation of Privilege Vulnerability: Similar to CVE-2025-59291, external control of the file name or path in Azure Compute Gallery could allow an authenticated attacker to elevate privileges locally, leading to remote code execution. More information on Azure Compute Gallery.
- CVE-2025-59227: Microsoft Office Remote Code Execution Vulnerability: A use-after-free flaw in Microsoft Office could allow an unauthenticated attacker to execute code locally.
- CVE-2025-59287: Windows Server Update Service (WSUS) Remote Code Execution Vulnerability: An unauthenticated attacker can execute code over a network by deserializing untrusted data in the Windows Server Update Service. Windows Server Update Service (WSUS) is a feature of Windows Server that allows IT administrators to manage the download and distribution of Microsoft product updates to computers on a local network.
- CVE-2016-9535: MITRE CVE-2016-9535: LibTIFF Heap Buffer Overflow Vulnerability: A heap-buffer-overflow in libtiff.
- CVE-2025-59236: Microsoft Excel Remote Code Execution Vulnerability: A use-after-free flaw in Microsoft Office could allow an unauthenticated attacker to execute code locally.
- CVE-2025-59246: Azure Entra ID Elevation of Privilege Vulnerability: Successful exploitation of the vulnerability may allow an attacker to elevate privileges. More information on Azure Entra ID.
Additional Vulnerabilities
Other notable vulnerabilities addressed include:
- CVE-2025-48004: An elevation of privilege vulnerability in the Microsoft Brokering File System.
- CVE-2025-55676: An information disclosure vulnerability in the Windows USB Video Class System Driver.
- CVE-2025-55681: An elevation of privilege vulnerability in Desktop Windows Manager.
- CVE-2025-58722: An elevation of privilege vulnerability in Microsoft DWM Core Library.
- CVE-2025-59199: An elevation of privilege vulnerability in the Software Protection Platform (SPP).
- CVE-2025-55680: An elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver.
- CVE-2025-55692 & CVE-2025-55694: Elevation of privilege vulnerabilities in the Windows Error Reporting Service.
- CVE-2025-55693 & CVE-2025-59194: Elevation of privilege vulnerabilities in the Windows Kernel.
- CVE-2025-59502: A denial-of-service vulnerability in the Remote Procedure Call.
Affected Products
The updates cover a wide range of Microsoft products and versions. These include Agere Windows Modem Driver, Microsoft PowerShell, Windows Failover Cluster, and Azure Connected Machine Agent.
Other affected products are Microsoft Brokering File System, Virtual Secure Mode, Microsoft Graphics Component, Windows Kernel, and Windows Device Association Broker service. Also included are Windows Digital Media, Windows Hello, Windows Virtualization-Based Security (VBS) Enclave, Xbox, Microsoft Exchange Server, Visual Studio, .NET, ASP.NET Core, Microsoft Configuration Manager, and Azure Monitor.
Further updates address Windows Storage Management Provider, Connected Devices Platform Service (Cdpsvc), Windows Hyper-V, Windows BitLocker, Windows PrintWorkflowUserSvc, and Windows NDIS. Additionally, Windows USB Video Driver, Windows DirectX, Windows DWM, Windows Resilient File System (ReFS), Windows Error Reporting, Windows WLAN Auto Config Service, NtQueryInformation Token function (ntifs.h), Azure Local, and Windows Routing and Remote Access Service (RRAS).
The release also includes updates for Microsoft Windows, Windows Ancillary Function Driver for WinSock, Microsoft Windows Speech, Remote Desktop Client, Windows Cryptographic Services, Windows COM, Windows SMB Server, Windows Connected Devices Platform Service, Windows Bluetooth Service, Inbox COM Objects, and Windows Remote Desktop. Furthermore, updates cover Windows File Explorer, Windows High Availability Services, Windows Core Shell, Microsoft Windows Search Component, Storport.sys Driver, Windows Management Services, Windows SSDP Service, Windows ETL Channel, Software Protection Platform (SPP), Data Sharing Service Client, and Network Connection Status Indicator (NCSI).
Additional components receiving updates include Windows StateRepository API, Windows Resilient File System (ReFS) Deduplication Service, Windows MapUrlToZone), Windows Push Notification Core, Azure Entra ID, Microsoft Office Word, Microsoft Office Excel, Microsoft Office Visio, Microsoft Office, Microsoft Office SharePoint, Windows Remote Access Connection Manager, Microsoft Office PowerPoint, Windows Health and Optimized Experiences Service, Azure PlayFab, JDBC Driver for SQL Server, Copilot, Windows DWM Core Library, Active Directory Federation Services, Microsoft Failover Cluster Virtual Driver, Redis Enterprise, Windows Authentication Methods, Windows SMB Client, XBox Gaming Services, and Azure Monitor Agent.
The list continues with Windows Server Update Service, GitHub, Confidential Azure Container Instances, Windows Taskbar Live, Internet Explorer, Microsoft Defender for Linux, Windows Remote Procedure Call, AMD Restricted Memory Page, Microsoft Edge (Chromium-based), TCG TPM2.0, Windows Secure Boot, Microsoft Windows Codecs Library, and Games.
Updates from Other Companies
Several other vendors released updates and advisories in October 2025:
- Adobe: Released security updates for various products (Adobe Security Bulletins).
- Cisco: Released patches for Cisco IOS, Cisco Unified Communications Manager, and Cyber Vision Center (Cisco Security Advisories).
- Draytek: Released a security update for a pre-auth RCE flaw in Vigor routers (Draytek Security Advisory).
- Gladinet: Warned customers of a CentreStack zero-day being exploited to breach servers (Gladinet CentreStack Advisory).
- Ivanti: Released security updates for Ivanti Endpoint Manager Mobile (EPMM) and Ivanti Neurons for MDM (Ivanti Security Update).
- Oracle: Released security updates for actively exploited E-Business Suite zero-days (Oracle Security Alerts).
- Redis: Released security updates to patch a maximum severity RCE vulnerability (Redis Security Advisory).
- SAP: Released the October security updates for multiple products (SAP Security Notes).
- Synacor: Released a security update for a Zimbra Collaboration Suite zero-day (Zimbra Security Fixes).
Ivanti Security Advisories
Ivanti released two updates and one Security Advisory, resolving seven CVEs. The affected products include Ivanti Neurons for MDM and Ivanti Endpoint Manager Mobile. Additional details are available on the Ivanti blog.
Mozilla Updates
Mozilla released five updates resolving 45 CVEs. There is a possibility of exploitation in the wild. All five updates include at least one of the suspected exploit CVEs, so we recommend treating all five as containing a known exploited CVE. Mozilla Foundation Security Advisories.