33
Hey there, tech enthusiasts! Microsoft has just dropped a massive Patch Tuesday update for October 2025, tackling a whopping 175 vulnerabilities. These updates are crucial as they address some critical severity issues and zero-day flaws. What’s even more significant is that these updates mark the end of the road for most Windows 10 devices (Home, Pro, and Enterprise) as they reach their end-of-life.
Breaking Down the Release: 3 Zero-Days, 16 Critical Fixes
Microsoft’s latest Patch Tuesday addresses three zero-day vulnerabilities, with two being publicly disclosed and one already exploited before a patch was available. These vulnerabilities, all rated at 7.8 in CVSS score, pose a significant threat. Let’s dive into the details:
- CVE-2025-24990: A privilege escalation vulnerability in the Agere Modem driver that put Windows systems at risk. Microsoft detected active exploitation of this flaw and promptly addressed it in the October update.
- CVE-2025-24052: Another privilege escalation vulnerability in the same Agere Modem driver, allowing admin privileges to attackers. Although not actively exploited, its public disclosure before a fix made it a potential target.
- CVE-2025-59230: A privilege escalation flaw affecting Windows Remote Access Connection Manager, enabling attackers to gain SYSTEM privileges. Microsoft confirmed active exploitation of this vulnerability.
Extra Care: Third-Party Zero-Day Fixes Included
Microsoft’s update bundle also covers fixes for three zero-day vulnerabilities linked to third-party services. One noteworthy vulnerability, CVE-2025-47827 (CVSS 4.6; important severity), involved a Secure Boot bypass in IGEL OS that was exploited before a patch.
For the other two vulnerabilities, CVE-2025-0033 (CVSS 8.2; critical) and CVE-2025-2884 (CVSS 5.3; important severity), no active exploitation was confirmed. However, their public disclosure before a patch raised concerns.
More to Explore: Over A Dozen Critical Vulnerabilities Addressed
Besides the zero-days, this month’s update bundle tackles 15 critical-severity vulnerabilities across various products. Additionally, 157 important severity vulnerabilities and one moderate severity issue have been patched. These include a range of security risks such as privilege escalation, denial of service, information disclosure, remote code execution, and more.
Here are a few standouts:
- CVE-2025-59246 (CVSS 9.8; critical): A privilege escalation flaw in Azure Entra ID grabbing attention, with Microsoft confirming full mitigation but highlighting high exploitability.
- CVE-2025-59218 (CVSS 9.6; critical): Another privilege escalation issue in Azure Entra ID fully mitigated by Microsoft, with lower exploitation likelihood.
- CVE-2025-49708 (CVSS 9.9; critical): A use-after-free vulnerability in Microsoft Graphics Component enabling SYSTEM privileges for attackers.
- CVE-2025-59287 (CVSS 9.8; critical): A code execution flaw in Windows Server Update Service due to deserialization of untrusted data, allowing unauthorized code execution.
Final Call: Last Patch Tuesday for Windows 10
This round of updates marks the end of the update road for most Windows 10 users. Going forward, only Windows 10 Enterprise LTSC/IoT LTSC users will receive security updates, pushing regular users to upgrade to Windows 11. For those unable to upgrade immediately, Microsoft offers 1 year of free security updates through ESU Plans.
We’d love to hear your thoughts in the comments!
