Back

Microsoft Patches Critical Flaws and Active Zero-Days

Publication date: 2025-10-15
NEWS

TL;DR

Microsoft’s October security release fixes over 180 vulnerabilities, including two zero-days already exploited, a critical WSUS remote code execution flaw, and a VM escape via the Microsoft Graphics Component. With CVSS scores up to 9.9 and several entries added to the CISA KEV Catalog, patch without delay. It also marks the final regular update cycle for Windows 10.

Windows 10’s last regular patch day — and a rough batch of bugs

October’s update cycle carries both symbolic and practical weight. As Windows 10 receives its last standard update before entering Extended Security Updates (ESU), Microsoft has shipped fixes for more than 180 vulnerabilities across Windows, Office, and related components. Among them are three issues confirmed to be exploited in the wild and several others with the potential for remote compromise or system-wide escalation.

One exploited flaw, CVE-2025-59230, affects the Windows Remote Access Connection Manager (RasMan) and allows local attackers to gain elevated privileges. Another, CVE-2025-24990, targets the long-lived Agere modem driver (ltmdm64.sys); Microsoft is removing this legacy component rather than issuing a traditional fix. The third, CVE-2025-47827, is a Secure Boot bypass in IGEL OS that can be abused with physical access, making it relevant to thin-client and VDI estates. These exploited items have been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog.

Beyond the zero-days: what else deserves attention

CVE-2025-59287 (CVSS 9.8) is a remote code execution flaw in Windows Server Update Services (WSUS) that does not require authentication, turning WSUS into a potential supply-chain pivot if compromised. Meanwhile, CVE-2025-49708 (CVSS 9.9) in the Microsoft Graphics Component is a privilege escalation that can enable a virtual machine escape and code execution on the host. For web-facing workloads, CVE-2025-55315 addresses HTTP request smuggling in ASP.NET Core; it requires authentication but can quietly bypass intended controls.

Quick checks you can run today

The following PowerShell commands help you quickly determine whether your systems are affected by the most critical vulnerabilities addressed in the October 2025 updates.

Confirm that October 2025 security updates are installed

# List security updates installed on or after October 14, 2025
Get-HotFix |
  Where-Object {$_.Description -match 'Security' -and $_.InstalledOn -ge (Get-Date '2025-10-14')} |
  Sort-Object InstalledOn -Descending |
  Select-Object InstalledOn, HotFixID, Description

Check for WSUS installations

# Check if WSUS is installed and running
Get-WindowsFeature -Name UpdateServices* | Where-Object {$_.InstallState -eq 'Installed'}
Get-Service -Name WsusService

Detect the vulnerable Agere modem driver

# Search for the legacy ltmdm driver
$paths = @("$env:windir\System32\drivers\ltmdm64.sys", "$env:windir\System32\drivers\ltmdm.sys")
$paths | ForEach-Object { if (Test-Path $_) { "$_  --> FOUND" } else { "$_  --> not found" } }

# List any Agere or ltmdm drivers currently installed
Get-CimInstance Win32_PnPSignedDriver |
  Where-Object { $_.DriverName -match 'Agere|ltmdm' } |
  Select-Object DeviceName, DriverName, DriverVersion, InfName

Check remote-access endpoints (RasMan)

# Confirm if the RasMan service is present
Get-Service -Name RasMan

Verify if Hyper-V is installed (for CVE-2025-49708)

# Identify Hyper-V hosts potentially affected by VM escape
Get-WindowsFeature -Name Hyper-V | Select-Object Name, InstallState

If IGEL OS thin clients are in use, ensure devices are on a corrected version 11 build and maintain strict physical access controls to reduce Secure Boot bypass risk.

Priorities and patch order

Begin with internet-facing servers and application gateways, then update WSUS servers and virtualization hosts. Follow with laptops and remote-access endpoints, and finally internal servers such as directory and file services. While scheduling maintenance windows, restrict unnecessary local logons, monitor unsigned or legacy driver activity in endpoint protection, and verify reverse proxies normalize and validate HTTP headers to reduce request-smuggling exposure.

How BaseFortify supports rapid response

BaseFortify maps your software inventory to current CVEs so you can see which systems are exposed and where to focus first. Each entry includes a plain-language summary, a Q&A section, and an AI Assistant that interprets impact in your environment and suggests next steps. To receive tailored insights and monitor new CVEs as they’re published, register here: https://basefortify.eu/register.

References

  • Security.nl — “Microsoft verhelpt drie actief aangevallen kwetsbaarheden in Windows” (October 15, 2025)
  • The Hacker News — “Two New Windows Zero-Days Exploited in the Wild — One Affects Every Version Ever Shipped” (October 15, 2025)
  • CISA Known Exploited Vulnerabilities (KEV) Catalog — October/November 2025 updates