Microsoft October 2025 patch tuesday fixes 172 flaws including Zero-Days and actively exploited flaws

Microsoft has released its October 2025 Patch Tuesday security updates, addressing 172 security vulnerabilities. This patch fixes critical flaws in Windows operating systems, Microsoft Office applications, Azure cloud services, Windows Server components, and enterprise software. 

This Patch Tuesday marks the end of support for Windows 10, and unless Microsoft changes their mind will be the last free security update for Windows 10 without Extended Security Updates.

Zero-day vulnerabilities that were publicly disclosed or actively exploited before official patches became available:

• CVE-2025-24990 - Windows Agere Modem Driver Elevation of Privilege Vulnerability. Microsoft is removing an Agere Modem driver that was actively exploited to gain administrative privileges. The vulnerability affects all supported versions of Windows and can be exploited even if the modem is not actively being used. Microsoft has removed the ltmdm64.sys driver in the October cumulative update, though this will cause related Fax modem hardware to cease functioning.
• CVE-2025-59230 - Windows Remote Access Connection Manager Elevation of Privilege Vulnerability. This actively exploited vulnerability involves improper access control in Windows Remote Access Connection Manager, allowing an authorized attacker to elevate privileges locally to SYSTEM level. Microsoft indicates that attackers must invest in some measurable amount of effort in preparation or execution to successfully exploit the flaw.
• CVE-2025-47827 - Secure Boot Bypass in IGEL OS Before Version 11. This actively exploited vulnerability allows Secure Boot to be bypassed because the igel-flash-driver module improperly verifies cryptographic signatures. A crafted root filesystem can be mounted from an unverified SquashFS image, potentially enabling persistent malware installation. MITRE created this CVE on behalf of the affected parties, and the documented Windows updates incorporate updates from IGEL OS that address this vulnerability.
• CVE-2025-0033 - AMD RMP Corruption During SNP Initialization. This publicly disclosed vulnerability affects AMD EPYC processors using Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP). It involves a race condition during Reverse Map Table (RMP) initialization that could allow a malicious or compromised hypervisor to modify RMP entries before they are locked, potentially impacting the integrity of SEV-SNP guest memory.
• CVE-2025-24052 - Windows Agere Modem Driver Elevation of Privilege Vulnerability. This is a similar publicly disclosed flaw to CVE-2025-24990. Microsoft reiterates that the flaw impacts all versions of Windows and that the modem does not have to be actively used to exploit the vulnerability.
• CVE-2025-2884 - Out-of-Bounds Read Vulnerability in TCG TPM2.0 Reference Implementation. This publicly disclosed vulnerability exists in the TCG TPM2.0 Reference implementation's CryptHmacSign helper function, which is vulnerable to out-of-bounds read due to lack of validation of the signature scheme with the signature key's algorithm. Successful exploitation could lead to information disclosure or denial of service of the TPM.

Critical vulnerabilities:

1. CVE-2025-0033 - AMD CVE-2025-0033: RMP Corruption During SNP Initialization
2. CVE-2025-59218 - Azure Entra ID Elevation of Privilege Vulnerability
3. CVE-2025-59246 - Azure Entra ID Elevation of Privilege Vulnerability
4. CVE-2025-55321 - Azure Monitor Log Analytics Spoofing Vulnerability
5. CVE-2025-59247 - Azure PlayFab Elevation of Privilege Vulnerability
6. CVE-2025-59292 - Azure Compute Gallery Elevation of Privilege Vulnerability
7. CVE-2025-59291 - Confidential Azure Container Instances Elevation of Privilege Vulnerability
8. CVE-2025-59272 - Copilot Spoofing Vulnerability
9. CVE-2025-59252 - M365 Copilot Spoofing Vulnerability
10. CVE-2025-59286 - Copilot Spoofing Vulnerability
11. CVE-2016-9535 - MITRE CVE-2016-9535: LibTIFF Heap Buffer Overflow Vulnerability
12. CVE-2025-49708 - Microsoft Graphics Component Elevation of Privilege Vulnerability
13. CVE-2025-59227 - Microsoft Office Remote Code Execution Vulnerability
14. CVE-2025-59234 - Microsoft Office Remote Code Execution Vulnerability
15. CVE-2025-59236 - Microsoft Excel Remote Code Execution Vulnerability
16. CVE-2025-59271 - Redis Enterprise Elevation of Privilege Vulnerability
17. CVE-2025-59287 - Windows Server Update Service (WSUS) Remote Code Execution Vulnerability
18. CVE-2025-39943 - ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer
19. CVE-2025-39907 - mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer
20. CVE-2025-39898 - e1000e: fix heap overflow in e1000_set_eeprom
21. CVE-2025-39925 - can: j1939: implement NETDEV_UNREGISTER notification handler
22. CVE-2025-39910 - mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc()
23. CVE-2025-49844 - Redis Lua Use-After-Free may lead to remote code execution

Other patches in Microsoft's October 2025 Patch Tuesday include 144 "Important" severity vulnerabilities spanning multiple product categories. 

The largest segment involved 80 elevation of privilege flaws affecting core Windows components including Windows Kernel with multiple vulnerabilities, Windows PrintWorkflowUserSvc with eight separate use-after-free vulnerabilities, Windows Bluetooth Service, Windows Connected Devices Platform Service, Azure Connected Machine Agent, Azure Monitor Agent, Windows Authentication Methods with three vulnerabilities, and various Windows driver components. 

Remote code execution vulnerabilities were addressed in multiple Microsoft Office applications, Windows Connected Devices Platform Service, Windows SMB Server, Remote Desktop Client, Remote Desktop Protocol, Windows URL Parsing, and various Inbox COM Objects. 

Full patch list