Microsoft on Tuesday launched fixes for a whopping 183 security flaws spanning its merchandise, together with three vulnerabilities which have come beneath lively exploitation within the wild, because the tech big formally ended assist for its Home windows 10 working system until the PCs are enrolled within the Prolonged Safety Updates (ESU) program.
Of the 183 vulnerabilities, eight of them are non-Microsoft issued CVEs. As many as 165 flaws have been rated as Vital in severity, adopted by 17 as Essential and one as Reasonable. The overwhelming majority of them relate to elevation of privilege vulnerabilities (84), with distant code execution (33), data disclosure (28), spoofing (14), denial-of-service (11), and security function bypass (11) points accounting for the remainder of them.
The updates are along with the 25 vulnerabilities Microsoft addressed in its Chromium-based Edge browser because the launch of September 2025’s Patch Tuesday replace.
The 2 Home windows zero-days which have come beneath lively exploitation are as follows –
- CVE-2025-24990 (CVSS rating: 7.8) – Home windows Agere Modem Driver (“ltmdm64.sys”) Elevation of Privilege Vulnerability
- CVE-2025-59230 (CVSS rating: 7.8) – Home windows Distant Entry Connection Supervisor (RasMan) Elevation of Privilege Vulnerability
Microsoft mentioned each points may permit attackers to execute code with elevated privileges, though there are at the moment no indications on how they’re being exploited and the way widespread these efforts could also be. Within the case of CVE-2025-24990, the corporate mentioned it is planning to take away the driving force completely, slightly than problem a patch for a legacy third-party element.
The security defect has been described as “harmful” by Alex Vovk, CEO and co-founder of Action1, because it’s rooted inside legacy code put in by default on all Home windows techniques, regardless of whether or not the related {hardware} is current or in use.
“The susceptible driver ships with each model of Home windows, as much as and together with Server 2025,” Adam Barnett, lead software program engineer at Rapid7, mentioned. “Perhaps your fax modem makes use of a distinct chipset, and so you do not want the Agere driver? Maybe you have merely found e-mail? Powerful luck. Your PC continues to be susceptible, and an area attacker with a minimally privileged account can elevate to administrator.”
Based on Satnam Narang, senior workers analysis engineer at Tenable, CVE-2025-59230 is the primary vulnerability in RasMan to be exploited as a zero-day. Microsoft has patched greater than 20 flaws within the element since January 2022.
The third vulnerability that has been exploited in real-world assaults issues a case of Safe Boot bypass in IGEL OS earlier than 11 (CVE-2025-47827, CVSS rating: 4.6). Particulars in regards to the flaw had been first publicly disclosed by security researcher Zack Didcott in June 2025.
“The impacts of a Safe Boot bypass may be important, as menace actors can deploy a kernel-level rootkit, getting access to the IGEL OS itself and, by extension, then tamper with the Digital Desktops, together with capturing credentials,” Kev Breen, senior director of menace analysis at Immersive, mentioned.
“It needs to be famous that this isn’t a distant assault, and bodily entry is usually required to use this sort of vulnerability, which means that ‘evil-maid’ type assaults are the most certainly vector affecting workers who journey regularly.”
All three points have since been added to the U.S. Cybersecurity and Infrastructure Safety Company’s (CISA) Identified Exploited Vulnerabilities (KEV) catalog, requiring federal businesses to use the patches by November 4, 2025.
Another important vulnerabilities of observe embody a distant code execution (RCE) bug (CVE-2025-59287, CVSS rating: 9.8) in Home windows Server Replace Service (WSUS), an out-of-bounds learn vulnerability within the Trusted Computing Group (TCG) TPM2.0 reference implementation’s CryptHmacSign helper operate (CVE-2025-2884, CVSS rating: 5.3), and an RCE in Home windows URL Parsing (CVE-2025-59295, 8.8).
“An attacker can leverage this by rigorously establishing a malicious URL,” Ben McCarthy, lead cybersecurity engineer at Immersive, mentioned. “The overflowed information may be designed to overwrite important program information, resembling a operate pointer or an object’s digital operate desk (vtable) pointer.”
“When the applying later makes an attempt to make use of this corrupted pointer, as a substitute of calling a professional operate, it redirects this system’s execution stream to a reminiscence tackle managed by the attacker. This enables the attacker to execute arbitrary code (shellcode) on the goal system.”
Two vulnerabilities with the best CVSS rating on this month’s replace relate to a privilege escalation flaw in Microsoft Graphics Part (CVE-2025-49708, CVSS rating: 9.9) and a security function bypass in ASP.NET (CVE-2025-55315, CVSS rating: 9.9).
Whereas exploiting CVE-2025-55315 requires an attacker to be first authenticated, it may be abused to covertly get round security controls and perform malicious actions by smuggling a second, malicious HTTP request inside the physique of their preliminary authenticated request.
“A corporation should prioritize patching this vulnerability as a result of it invalidates the core security promise of virtualization,” McCarthy defined relating to CVE-2025-49708, characterizing it as a high-impact flaw that results in a full digital machine (VM) escape.
“A profitable exploit means an attacker who features even low-privilege entry to a single, non-critical visitor VM can get away and execute code with SYSTEM privileges immediately on the underlying host server. This failure of isolation means the attacker can then entry, manipulate, or destroy information on each different VM operating on that very same host, together with mission-critical area controllers, databases, or manufacturing purposes.”
Software program Patches from Different Distributors
Along with Microsoft, security updates have additionally been launched by different distributors over the previous a number of weeks to rectify a number of vulnerabilities, together with —
- Adobe
- Amazon Internet Providers
- AMD
- AMI
- Apple
- ASUS
- Broadcom (together with VMware)
- Canon
- Test Level
- Cisco
- D-Hyperlink
- Dell
- Drupal
- Elastic
- F5
- Fortinet
- Foxit Software program
- FUJIFILM
- Gigabyte
- GitLab
- Google Chrome
- Google Cloud
- Google Pixel Watch
- Hitachi Power
- HMS Networks (together with Crimson Lion)
- Honeywell
- HP
- HP Enterprise (together with Aruba Networking and Juniper Networks)
- IBM
- Ivanti
- Jenkins
- Lenovo
- Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Crimson Hat, Rocky Linux, SUSE, and Ubuntu
- MediaTek
- Mitsubishi Electrical
- MongoDB
- Moxa
- Mozilla Firefox, Firefox ESR, and Thunderbird
- NVIDIA
- Oracle
- Palo Alto Networks
- Progress Software program
- QNAP
- Qualcomm
- Ricoh
- Rockwell Automation
- Salesforce
- Samsung
- SAP
- Schneider Electrical
- ServiceNow
- Siemens
- SolarWinds
- SonicWall
- Splunk
- Spring Framework
- Supermicro
- Synology
- TP-Hyperlink
- Veeam, and
- Zoom
