Patch Tuesday October 2025: A Record-Breaking Release Marks the End of Windows 10 Era

October 2025’s Patch Tuesday delivers Microsoft’s largest single-month security update on record with 172 vulnerabilities along with Windows 10’s end of support finally arriving. Three zero-day vulnerabilities are under active exploitation, two additional vulnerabilities were publicly disclosed before patches shipped, and organizations face the operational reality of either migrating to Windows 11 or enrolling in Extended Security Updates. This convergence will test patch management infrastructure and operations across organizations of all sizes.

Microsoft Vulnerabilities

Microsoft has addressed 172 new vulnerabilities this October, marking the highest count in Patch Tuesday history and substantially exceeding any previous monthly release in 2025. The distribution includes eight Critical-rated vulnerabilities, with five classified as Remote Code Execution flaws and three as Elevation of Privilege issues. Among these, Microsoft has confirmed three zero-day vulnerabilities are being actively exploited in the wild, while two additional zero-day vulnerabilities were publicly disclosed prior to patches becoming available.

The sheer volume of fixes, combined with the critical nature of several of the vulnerabilities as well as the Windows 10 end-of-support milestone, makes this not just the biggest but also one of the most consequential Patch Tuesdays in recent memory.

CVE-2025-24990: Windows Agere Modem Driver Elevation of Privilege

CVE-2025-24990 stands as one of three actively exploited zero-day vulnerabilities addressed this month. This vulnerability resides in the third-party Agere Modem driver (ltmdm64.sys), a legacy component that has shipped natively with supported Windows operating systems for years. The driver, originally designed for software-based dial-up modems and fax functionality, contains an elevation of privilege vulnerability that allows attackers to gain administrator-level access to affected systems.

What makes this vulnerability particularly concerning is its exploitation potential across all supported Windows versions, even when modem hardware is not present. With the popularity of Bring Your Own Vulnerable Driver attacks that can be used for Endpoint Detection and Response (EDR) evasion tactics, having a vulnerable driver already present on devices would make it attractive for exploitation. Microsoft’s response has been to permanently remove the driver in the October cumulative update due to its legacy nature. Organizations should be aware that any fax modem hardware dependent on the ltmdm64.sys driver will cease functioning after applying this update. The Cybersecurity and Infrastructure Security Agency has added this vulnerability to its Known Exploited Vulnerabilities Catalog with a remediation deadline of November 4, 2025.

This vulnerability requires immediate prioritization regardless of whether fax functionality is actively used. The universal presence of this driver across Windows installations means every managed endpoint is potentially affected.

CVE-2025-59230: Windows Remote Access Connection Manager Elevation of Privilege

CVE-2025-59230 represents the second actively exploited zero-day, targeting the Windows Remote Access Connection Manager (RasMan), a core service responsible for managing dial-up and VPN connections. This improper access control vulnerability enables authenticated attackers to elevate privileges locally to SYSTEM level, effectively granting complete control over the compromised machine.

The Remote Access Connection Manager has received frequent fixes via Patch Tuesday however, this marks the first instance of a RasMan vulnerability being exploited in the wild as a zero-day. The exploitation scenario is particularly dangerous for environments where attackers have already established an initial foothold through phishing, malware delivery, or other exploitation vectors. Once local access is achieved, CVE-2025-59230 provides a straightforward path to full system compromise.

This vulnerability underscores the importance of defense-in-depth strategies. While the vulnerability requires local access to exploit, the SYSTEM-level privileges it grants enable attackers to install persistent backdoors, disable security controls, exfiltrate sensitive data, or use the compromised system as a pivot point for lateral movement. CISA has also added this vulnerability to its KEV Catalog with a November 4, 2025 remediation deadline.

CVE-2025-47827: IGEL OS Secure Boot Bypass

CVE-2025-47827 is the third actively exploited zero-day vulnerability, though it affects a more specialized environment. This vulnerability exists in IGEL OS versions before 11 and allows attackers to bypass the Secure Boot process. IGEL OS can be deployed to repurpose Windows PCs as secure, centrally managed thin clients for virtual desktops, kiosks, and other single-purpose devices, with widespread use in healthcare, education, retail, and industrial settings.

The vulnerability stems from improper cryptographic signature verification in the igel-flash-driver module. When exploited, attackers can present crafted SquashFS images that the system accepts and mounts as the root filesystem, effectively circumventing Secure Boot protections. The impact of a Secure Boot bypass is significant, allowing deployment of kernel-level rootkits, unrestricted access to the IGEL OS itself, and potentially the ability to tamper with virtual desktop connections, including capturing user credentials.

It should be noted that exploitation typically requires physical access to the device, significantly reducing the potential risk exposure of this vulnerability. This is particularly relevant for organizations with employees who travel frequently or which have devices deployed in public-facing locations. Windows systems require patching for this vulnerability because Microsoft’s Secure Boot infrastructure trusted the vulnerable IGEL component through its UEFI Certificate Authority.

Additional Publicly Disclosed Zero-Days

CVE-2025-24052 is another elevation of privilege vulnerability affecting the same Agere Modem Driver as CVE-2025-24990. While this vulnerability was publicly disclosed prior to patch availability, it has not been observed being exploited in the wild. Microsoft’s removal of the ltmdm64.sys driver addresses both CVE-2025-24990 and CVE-2025-24052 simultaneously.

CVE-2025-2884 is a publicly known vulnerability affecting the CG TPM2.0 Reference implementation’s CryptHmacSign helper function. This out-of-bounds read vulnerability stems from inadequate validation of the signature scheme with the signature key’s algorithm, potentially leading to information disclosure. The vulnerability was disclosed by CERT/CC on behalf of the Trusted Computing Group (TCG) and impacts trusted platform modules integral to secure boot processes. Microsoft’s October updates incorporate fixes from the CG TPM2.0 Reference implementation to address this vulnerability.

CVE-2025-55234 is an elevation of privilege vulnerability in Windows SMB that has been publicly disclosed but not exploited in the wild. Rated as Important with a CVSS v3.1 score of 8.8, this vulnerability affects all Windows operating systems. The code maturity is unproven, meaning no functional exploit code samples have been publicly disclosed, though the existence of the vulnerability is known to potential attackers.

The End of Windows 10: Extended Security Updates

October 14, 2025 marks the end of an era as Windows 10 reaches its official end of support date. Microsoft has released KB5066791, the final cumulative update providing free security patches for the operating system that has served as the primary desktop platform for over a decade. This transition creates significant implications for SMBs and MSPs.

Microsoft continues to offer Extended Security Updates (ESU) for Windows 10, providing critical and important security updates for up to three additional years at an additional cost. For consumers, ESU is available for one year; for enterprises and commercial customers, ESU extends to three years. The ESU program delivers security updates through familiar channels like Windows Update, but organizations must explicitly enroll and pay for this extended coverage. Users of N‑able’s Patch Management Engine will be able to continue managing Windows 10 patching for devices regardless of ESU enrollment status for any updates the devices qualify for according to Microsoft.

Notably, Microsoft has committed to patching Microsoft 365 Apps on Windows 10 during the ESU period, which partially mitigates security concerns for productivity software. However, this commitment only covers the Office suite, not the underlying operating system. Every Windows 10 machine continuing past end of support carries additional licensing costs, creates patch management complexity with the need for separate update catalogs, and requires specialized GPO or Intune policies to manage ESU-specific channels.

For MSPs, the Windows 10 end-of-support transition represents a longer-term challenge that will define client relationships through 2028. Organizations must make informed decisions about Extended Security Update enrollment versus Windows 11 migration, understanding the full operational and financial implications of each path. MSPs should position themselves as strategic advisors in this transition, helping clients understand that ESU is a bridge, not a destination, and that migration planning timelines grow more compressed with each passing month.

Vulnerability Prioritization

Effective vulnerability management requires moving beyond single-dimensional severity assessments to incorporate temporal risk factors and real-world exploitation data. While CVSS scores provide a baseline understanding of technical impact, they fail to account for the window of vulnerability—the critical period between disclosure and patch deployment where exploitation risk escalates exponentially.

SMBs and MSPs should implement automated risk scoring frameworks that integrate multiple intelligence sources: CISA Known Exploited Vulnerabilities listings for confirmed active threats, Microsoft’s Exploitability Index assessments for likelihood metrics, and threat intelligence feeds for emerging attack patterns. This multi-dimensional approach ensures that vulnerabilities Under Active Exploitation receive immediate prioritization regardless of their nominal severity rating, while accounting for both the technical impact and the operational reality of exploit availability. Organizations that continue relying exclusively on severity-based patching schedules expose themselves to preventable compromises, particularly from zero-day and publicly disclosed vulnerabilities that threat actors weaponize within hours of disclosure.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, EU = Exploitation Unlikely, N/A = Not Available

 Summary

As organizations look to strengthen their cyber resilience, they should integrate third-party patching priorities into their existing patch management routines, ensuring that traditionally Microsoft-focused processes expand to address the multi-vendor threat landscape that characterizes modern environments. The convergence of Actively Exploited vulnerabilities across multiple platforms underscores the importance of comprehensive, risk-based patch management strategies that extend beyond severity ratings to encompass real-world exploitation patterns and business-critical system exposure.

As always, make sure you have established patching processes for evaluation, testing, and pushing into production. If your approach has typically centered around patching based on severity alone, it’s crucial to expand your patch management strategies. Integrate priority handling into your Patch Management routines for patches related to zero-day vulnerabilities, vulnerabilities with Detected Exploitations, and those with a higher likelihood of exploitation. The convergence of Actively Exploited vulnerabilities across multiple vendors underscores the need for comprehensive, risk-based approaches that extend beyond traditional Microsoft-focused patch management to address the multi-vendor reality of modern business networks.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out the Patch Management section of our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on

LinkedIn: thesecuritypope

Twitch: cybersec_nerd