Microsoft Addresses Three Zero-Days, Including One Affecting All Windows Vers...

Microsoft has released its October 2025 Patch Tuesday updates, addressing a staggering number of security vulnerabilities, including three zero-day flaws actively exploited in the wild. This extensive release includes fixes for 172 to 193 vulnerabilities across various products, marking one of the largest Patch Tuesday updates in recent history. Among the most critical patches are two elevation of privilege (EoP) vulnerabilities impacting core Windows components. One of these, CVE-2025-24990, targets a legacy Agere Modem Driver that has been bundled with every version of Windows ever shipped, up to and including Server 2025. The widespread nature of the Agere Modem Driver vulnerability means virtually all Windows systems are potentially at risk. Microsoft has taken the unusual step of completely removing the problematic driver, `ltmdm64.sys`, from the operating system to mitigate this long-standing threat. Another significant zero-day, CVE-2025-59230, affects the Windows Remote Access Connection Manager (RasMan), allowing local attackers to escalate privileges to SYSTEM level. This marks the first time a RasMan vulnerability has been exploited as a zero-day, despite the component frequently appearing in past Patch Tuesday updates. A third exploited zero-day, CVE-2025-47827, involves a Secure Boot bypass in IGEL OS, which indirectly impacts Windows environments. All three actively exploited vulnerabilities have been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities catalog. Beyond the zero-days, Microsoft also addressed several other critical flaws, including two with a CVSS score of 9.9. These high-severity bugs highlight the ongoing efforts by threat actors to find and exploit weaknesses in widely used software. This October update also signifies a pivotal moment for Windows 10 users, as it delivers the final free security updates for the operating system. Users wishing to continue receiving support must now enroll in Microsoft's Extended Security Updates (ESU) program.

• **Legacy Driver Poses Widespread Risk:** The Agere Modem Driver vulnerability (CVE-2025-24990) is particularly concerning because the `ltmdm64.sys` driver has been included in all Windows versions for two decades, regardless of whether the associated hardware is present or in use. Adam Barnett, lead software engineer at Rapid7, stated, "The vulnerable driver ships with every version of Windows, up to and including Server 2025." This makes a vast number of systems susceptible to local privilege escalation.
• **Microsoft's Response to Agere Driver:** Instead of patching the legacy third-party component, Microsoft has opted to remove the Agere Modem Driver entirely from Windows with this update. This decision effectively retires the component, but users with fax modem hardware dependent on this specific driver will find it no longer functions on updated systems. Security experts like Dustin Childs from Trend Micro's Zero Day Initiative advised treating this as a broad attack due to the driver's pervasive presence.
• **RasMan Exploitation Marks a First:** The Remote Access Connection Manager (RasMan) vulnerability (CVE-2025-59230) represents a new frontier for attackers, as it is the first time a flaw in this component has been exploited as a zero-day. Satnam Narang, senior staff research engineer at Tenable, noted that while RasMan is a "frequent flyer" on Patch Tuesday, this active exploitation is unprecedented. The flaw allows authenticated local attackers to achieve SYSTEM-level privileges.
• **Third Zero-Day and CISA Mandate:** The third actively exploited zero-day, CVE-2025-47827, is a Secure Boot bypass affecting IGEL OS before version 11. This vulnerability, though not directly a Microsoft product, impacts the security posture of systems utilizing IGEL OS and its interaction with Windows Secure Boot. All three exploited zero-days have been added to CISA's KEV catalog, mandating federal agencies to apply patches by November 4, 2025.
• **Other High-Severity Flaws:** Beyond the actively exploited zero-days, the October Patch Tuesday addresses numerous other critical vulnerabilities. These include two bugs with a CVSS score of 9.9: CVE-2025-49708, a privilege escalation flaw in Microsoft Graphics Component, and CVE-2025-55315, a security feature bypass in ASP.NET. Additionally, a critical remote code execution bug (CVE-2025-59287) in Windows Server Update Service (WSUS) with a CVSS score of 9.8 also demands immediate attention.
• **Windows 10 End-of-Life Implications:** This Patch Tuesday marks the end of free security updates for Windows 10, a significant milestone for millions of users. Devices not enrolled in the Extended Security Updates (ESU) program will no longer receive routine security fixes, increasing their vulnerability to future threats. This transition underscores the importance of upgrading to Windows 11 or securing ESU enrollment for continued protection.
• **Edge Browser Security Tightened:** In a related development, Microsoft also tightened security measures for the Internet Explorer (IE) mode in its Edge browser. This action followed reports in August 2025 of attackers exploiting unpatched zero-day flaws in IE's Chakra JavaScript engine through social engineering tactics to gain unauthorized access and achieve remote code execution. Microsoft has since removed easy-access options for launching IE mode, requiring manual enablement for approved sites.