Microsoft on Tuesday launched fixes for a whopping 183 safety flaws spanning its merchandise, together with three vulnerabilities which have come below lively exploitation within the wild, because the tech large formally ended help for its Home windows 10 working system until the PCs are enrolled within the Prolonged Safety Updates (ESU) program.
Of the 183 vulnerabilities, eight of them are non-Microsoft issued CVEs. As many as 165 flaws have been rated as Essential in severity, adopted by 17 as Crucial and one as Average. The overwhelming majority of them relate to elevation of privilege vulnerabilities (84), with distant code execution (33), data disclosure (28), spoofing (14), denial-of-service (11), and safety characteristic bypass (11) points accounting for the remainder of them.
The updates are along with the 25 vulnerabilities Microsoft addressed in its Chromium-based Edge browser for the reason that launch of September 2025’s Patch Tuesday replace.
The 2 Home windows zero-days which have come below lively exploitation are as follows –
CVE-2025-24990 (CVSS rating: 7.8) – Home windows Agere Modem Driver (“ltmdm64.sys”) Elevation of Privilege Vulnerability
CVE-2025-59230 (CVSS rating: 7.8) – Home windows Distant Entry Connection Supervisor (RasMan) Elevation of Privilege Vulnerability
Microsoft mentioned each points might permit attackers to execute code with elevated privileges, though there are at present no indications on how they’re being exploited and the way widespread these efforts could also be. Within the case of CVE-2025-24990, the corporate mentioned it is planning to take away the driving force completely, fairly than problem a patch for a legacy third-party element.
The safety defect has been described as “harmful” by Alex Vovk, CEO and co-founder of Action1, because it’s rooted inside legacy code put in by default on all Home windows methods, no matter whether or not the related {hardware} is current or in use.
“The susceptible driver ships with each model of Home windows, as much as and together with Server 2025,” Adam Barnett, lead software program engineer at Rapid7, mentioned. “Possibly your fax modem makes use of a unique chipset, and so you do not want the Agere driver? Maybe you’ve got merely found e mail? Robust luck. Your PC continues to be susceptible, and a neighborhood attacker with a minimally privileged account can elevate to administrator.”
In accordance with Satnam Narang, senior workers analysis engineer at Tenable, CVE-2025-59230 is the primary vulnerability in RasMan to be exploited as a zero-day. Microsoft has patched greater than 20 flaws within the element since January 2022.
The third vulnerability that has been exploited in real-world assaults issues a case of Safe Boot bypass in IGEL OS earlier than 11 (CVE-2025-47827, CVSS rating: 4.6). Particulars concerning the flaw had been first publicly disclosed by safety researcher Zack Didcott in June 2025.
“The impacts of a Safe Boot bypass might be important, as risk actors can deploy a kernel-level rootkit, getting access to the IGEL OS itself and, by extension, then tamper with the Digital Desktops, together with capturing credentials,” Kev Breen, senior director of risk analysis at Immersive, mentioned.
“It ought to be famous that this isn’t a distant assault, and bodily entry is usually required to use this kind of vulnerability, which means that ‘evil-maid’ type assaults are the almost definitely vector affecting staff who journey incessantly.”
All three points have since been added to the U.S. Cybersecurity and Infrastructure Safety Company’s (CISA) Identified Exploited Vulnerabilities (KEV) catalog, requiring federal companies to use the patches by November 4, 2025.
Another vital vulnerabilities of observe embody a distant code execution (RCE) bug (CVE-2025-59287, CVSS rating: 9.8) in Home windows Server Replace Service (WSUS), an out-of-bounds learn vulnerability within the Trusted Computing Group (TCG) TPM2.0 reference implementation’s CryptHmacSign helper perform (CVE-2025-2884, CVSS rating: 5.3), and an RCE in Home windows URL Parsing (CVE-2025-59295, 8.8).
“An attacker can leverage this by rigorously developing a malicious URL,” Ben McCarthy, lead cybersecurity engineer at Immersive, mentioned. “The overflowed information might be designed to overwrite vital program information, resembling a perform pointer or an object’s digital perform desk (vtable) pointer.”
“When the appliance later makes an attempt to make use of this corrupted pointer, as an alternative of calling a respectable perform, it redirects this system’s execution circulation to a reminiscence deal with managed by the attacker. This permits the attacker to execute arbitrary code (shellcode) on the goal system.”
Two vulnerabilities with the best CVSS rating on this month’s replace relate to a privilege escalation flaw in Microsoft Graphics Element (CVE-2025-49708, CVSS rating: 9.9) and a safety characteristic bypass in ASP.NET (CVE-2025-55315, CVSS rating: 9.9).
Whereas exploiting CVE-2025-55315 requires an attacker to be first authenticated, it may be abused to covertly get round safety controls and perform malicious actions by smuggling a second, malicious HTTP request throughout the physique of their preliminary authenticated request.
“A company should prioritize patching this vulnerability as a result of it invalidates the core safety promise of virtualization,” McCarthy defined concerning CVE-2025-49708, characterizing it as a high-impact flaw that results in a full digital machine (VM) escape.
“A profitable exploit means an attacker who positive factors even low-privilege entry to a single, non-critical visitor VM can get away and execute code with SYSTEM privileges instantly on the underlying host server. This failure of isolation means the attacker can then entry, manipulate, or destroy information on each different VM operating on that very same host, together with mission-critical area controllers, databases, or manufacturing purposes.
