Microsoft’s October 2025 Patch Tuesday delivered fixes for 172 vulnerabilities across Windows and related products, including six zero-day flaws (vulnerabilities publicly disclosed or exploited before a patch was available). The updates also address eight “Critical” issues (five remote code execution and three elevation of privilege vulnerabilities) . Notably, this is the final Patch Tuesday that provides free security updates for consumer versions of Windows 10, which reaches its end-of-support this month .
The breakdown of vulnerabilities by type is as follows :
- 80 Elevation of Privilege vulnerabilities
- 11 Security Feature Bypass vulnerabilities
- 31 Remote Code Execution vulnerabilities
- 28 Information Disclosure vulnerabilities
- 11 Denial of Service vulnerabilities
- 10 Spoofing vulnerabilities
(These counts exclude issues addressed earlier in October for Microsoft Edge, Azure Linux (Mariner), and other products not updated on Patch Tuesday.)
Microsoft noted that a total of six zero-day vulnerabilities were patched (i.e. those known or exploited prior to the patch), of which three were publicly disclosed and three were actively exploited in the wild . Below we summarize these zero-days and other critical updates from the October 2025 release:
Zero-day Vulnerabilities Patched
- Windows Fax Modem Driver (Agere) – CVE-2025-24990 & CVE-2025-24052: Two privilege escalation flaws in a legacy fax/modem driver (Agere) that ships with all supported Windows versions. One of these (CVE-2025-24990) was being actively exploited by attackers , while the other (CVE-2025-24052) was publicly disclosed without evidence of in-the-wild abuse . Microsoft’s update removes the vulnerable driver from Windows entirely, thereby mitigating the threat but also disabling any fax/modem hardware that relies on that driver . (Microsoft warned that after this patch, related fax modem devices “will cease functioning” on Windows .)
- Windows Remote Access Connection Manager (RasMan) – CVE-2025-59230: An elevation of privilege vulnerability in the Remote Access Connection Manager service (used for VPN and dial-up connections) that was exploited in the wild to gain SYSTEM-level privileges . Notably, this flaw requires no user interaction, making it an attractive tool for attackers to elevate privileges after gaining initial access . Microsoft credits its Threat Intelligence Center and Security Response Center for discovering this exploit and has released patches for all supported Windows versions .
- Secure Boot Bypass (IGEL OS) – CVE-2025-47827: A vulnerability in IGEL OS (a Linux-based thin client OS) that allows UEFI Secure Boot to be bypassed. It leverages improperly verified cryptographic signatures, letting a crafted malicious file system be loaded as a boot image, defeating the Secure Boot trust chain . This issue was observed being exploited in the wild . Microsoft’s update for Windows addresses the threat, likely by adding the compromised IGEL boot component to the UEFI revocation list (thus preventing it from running) .
- AMD EPYC / SEV-SNP Memory Corruption – CVE-2025-0033: A hardware-level issue in AMD’s Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP) for EPYC processors, disclosed by AMD, which could allow a malicious or compromised hypervisor to corrupt Reverse Map Table (RMP) entries during VM initialization . This could undermine the memory integrity of confidential VMs (though it does not leak plaintext data or secrets). Microsoft is treating this as a zero-day, acknowledging that Azure confidential computing VMs are affected, but no Windows OS patch is yet available for this specific vulnerability . Security updates for Azure’s affected infrastructure are in progress, and customers will be notified when those are ready to deploy .
- TPM 2.0 Reference Implementation Flaw – CVE-2025-2884: An out-of-bounds read vulnerability in the Trusted Computing Group’s TPM 2.0 reference implementation, which by extension can affect many vendors’ TPM modules. It could result in information disclosure or a denial-of-service condition in the TPM hardware . Microsoft is treating this as a zero-day scenario. Patches were released for Windows 11 and newer Windows Server editions, but notably older platforms like Windows 10 and Server 2019 were not patched for this bug . (Administrators of those older systems are implicitly being encouraged to upgrade to a supported OS for continued protection.)
Other Notable Updates in October 2025
- Microsoft Office RCE via Preview Pane (CVE-2025-59227 & CVE-2025-59234): Two critical vulnerabilities in Microsoft Office that allow code execution simply by previewing a malicious document – for example, viewing an email attachment in the Outlook Preview Pane – without needing to open the file explicitly . An attacker could trick a user into previewing a crafted Office file to compromise their system. Users should ensure Office updates are applied, as these fixes address a potentially zero-click attack vector.
- Windows Server Update Services RCE (CVE-2025-59287): A critical CVSS 9.8 rated flaw in WSUS (Windows Server Update Services). It can enable an unauthenticated remote attacker with network access to execute arbitrary code on the WSUS server by sending it specially crafted data . While Microsoft has not seen active exploitation yet, they have marked this bug as “exploitation more likely.” Given the network-facing nature of WSUS and the fact that it runs with high privileges, a successful exploit could give an attacker free rein over the update server and even allow abuse of the trusted patch distribution process . It is urgent to patch all WSUS servers to prevent any potential compromise.
Windows 10 End of Support and Upgrade Options
October 2025’s Patch Tuesday marks the end of free support for Windows 10 (non-LTSC editions). Going forward, Windows 10 Home and Pro users will no longer receive monthly security patches unless they enroll in Microsoft’s Extended Security Updates (ESU) program . Through ESU, Microsoft offers paid post-end-of-life patches — generally one year of extended updates for consumers (Home/Pro) and up to three years for enterprise customers (Enterprise editions) . Notably, Microsoft is providing one free year of ESU for Windows 10 Home/Pro users in the European Union, likely due to consumer protection regulations . Outside of that, the ESU service costs around $30 USD per year (and Microsoft account holders may be offered the first year free when enrolling the device) . ESUs only deliver security fixes and no new features or technical support.
It’s worth mentioning that Windows 10 Enterprise LTSC (Long-Term Servicing Channel) releases remain supported beyond this date – for example, Windows 10 Enterprise LTSC 2019 and 2021 will receive security updates until 2029 and 2027 respectively, and IoT Enterprise LTSC until 2032 . However, the vast majority of Windows 10 installations (consumer and business editions on the semi-annual channel) are now considered end-of-life. Microsoft’s recommended path is to upgrade systems to Windows 11, but this requires compatible hardware that not all Windows 10 PCs have.
In addition to Windows 10, several other Microsoft products reached their end-of-life in October 2025. This was the final patch release for: Office 2016 and Office 2019 (client apps) , Exchange Server 2016 and 2019 (now fully replaced by Exchange Subscription Edition) , Skype for Business 2016, and Windows 11 IoT Enterprise 22H2, among others . Organizations using these should plan to upgrade to supported versions or cloud services moving forward.
For users who cannot upgrade to Windows 11 and choose not to pay for extended support, another option to stay secure is to switch to a Linux distribution on older hardware . User-friendly Linux variants such as Linux Mint can run on most PCs from the last decade (requiring as little as 2 GB of RAM) and come pre-loaded with LibreOffice, which can open and edit Microsoft Office files . Interested users can even try running Linux from a USB drive (a “live USB” session) to test it out without installing, as a safe way to evaluate this alternative .In summary, the October 2025 Patch Tuesday is significant both in scope and in marking the end of an era (Windows 10). Administrators and users should promptly apply the updates – especially for critical and zero-day flaws – and take steps to transition away from legacy software that is no longer receiving security patches. This will ensure systems remain protected against the latest threats
