Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws

Today is Microsoft’s October 2025 Patch Tuesday, which includes security updates for 172 flaws, including six zero-day vulnerabilities.

This Patch Tuesday also addresses eight “Critical” vulnerabilities, five of which are remote code execution vulnerabilities and three are elevation of privilege vulnerabilities.

When BleepingComputer reports on the Patch Tuesday security updates, we only count those released today by Microsoft. Therefore, the number of flaws does not include those fixed in Azure, Mariner, Microsoft Edge, and other vulnerabilities earlier this month.

Notably, Windows 10 reaches the end of support today, with this being the last Patch Tuesday where Microsoft provides free security updates to the venerable operating system.

To continue receiving security updates on Windows 10, consumers can sign up for a year of Extended Security Updates (ESU), and enterprises can sign up for a total of three years.

This month’s Patch Tuesday fixes two publicly disclosed zero-day flaws in Windows SMB Server and Microsoft SQL Server. Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available.

Microsoft is removing an Agere Modem driver that was abused to gain administrative privileges.

“Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems,” explains Microsoft.

“This is an announcement of the upcoming removal of ltmdm64.sys driver. The driver has been removed in the October cumulative update.”

Microsoft warns that removing this driver will cause related Fax modem hardware to cease functioning.

Microsoft has attributed the flaw to Fabian Mosch and Jordan Jay.

CVE-2025-59230 – Windows Remote Access Connection Manager Elevation of Privilege Vulnerability

Microsoft fixed a Windows Remote Access Connection Manager flaw that was exploited to gain SYSTEM privileges.

“Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally,” explains Microsoft.

Microsoft says attackers must “invest in some measurable amount of effort in preparation or execution” to successfully exploit the flaw.

The vulnerability has been attributed the flaw internally to Microsoft Threat Intelligence Center (MSTIC) & Microsoft Security Response Center (MSRC).

Microsoft has added fixes for a Secure Boot bypass in IGEL OS.

“In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image,” explains Microsoft.

The flaw was discovered by Zack Didcott and publicly disclosed in a GitHub writeup.

Microsoft is working on a fix for an AMD flaw that could impact memory integrity.

“CVE-2025-0033 is a vulnerability in AMD EPYC processors using Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP). It involves a race condition during Reverse Map Table (RMP) initialization that could allow a malicious or compromised hypervisor to modify RMP entries before they are locked, potentially impacting the integrity of SEV-SNP guest memory. This issue does not expose plaintext data or secrets and requires privileged control of the hypervisor to exploit,” explains Microsoft.

“Across Azure Confidential Computing products, multiple security guardrails are in place to prevent host compromise, combining isolation, integrity verification and continuous monitoring. All host operations follow audited and approved management pathways, with administrative access strictly controlled, limited and logged. Together, these protections reduce the risk of host compromise or unauthorized memory manipulation, helping ensure that confidential workloads and customer VMs maintain their confidentiality and integrity on Azure hosts.”

Microsoft states that the security updates for this vulnerability in Azure Confidential Computing’s (ACC) AMD-based clusters are not yet complete. Customers will be notified via Azure Service Health Alerts when they are available to deploy.

The flaws were publicly disclosed by AMD yesterday and discovered by Benedict Schlueter, Supraja Sridhara, and Shweta Shinde from ETH Zurich.

This is a similar flaw to CVE-2025-24990, described above, which appears to have been publicly disclosed as well.

Microsoft reiterates that the flaw impacts all versions of Windows and that the modem does not have to be used to exploit the flaw.

“All supported versions of Windows can be affected by a successful exploitation of this vulnerability, even if the modem is not actively being used,” explains Microsoft.

This CVE is not attributed to any researchers.

CVE-2025-2884 – Cert CC: CVE-2025-2884 Out-of-Bounds read vulnerability in TCG TPM2.0 reference implementation

Microsoft has fixed a TCG TPM 2.0 flaw that could lead to information disclosure or denial of service of the TPM.

“CVE-2025-2884 is regarding a vulnerability in CG TPM2.0 Reference implementation’s CryptHmacSign helper function that is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key’s algorithm,” explains Microsoft.

“CERT/CC created this CVE on their behalf. The documented Windows updates incorporate updates in CG TPM2.0 Reference implementation which address this vulnerability. Please see CVE-2025-2884 for more information.”

The flaw has been attributed to the Trusted Computing Group (TCG) and an anonymous researcher. TCG publicly disclosed the flaw in this writeup.

Below is the complete list of resolved vulnerabilities in the October 2025 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.