Op-Ed: October Patch Tuesday reveals 172 Vulnerabilities

Alongside older versions of Exchange and Office, the behemoth that is Windows 10 receives its final security patches today, although there are some exceptions.

TPM 2.0: zero-day information disclosure

When the Trusted Computing Group (TCG) consortium’s TPM 2.0 reference implementation contains a flaw, under normal circumstances, that flaw is likely to be replicated in the downstream implementation by each manufacturer. That is the case with CVE-2025-2884, an information disclosure vulnerability which Microsoft is treating as a zero-day despite the curious circumstance that Microsoft is a founder member of TCG, and thus presumably privy to the discovery before its publication.

Windows 11 and newer versions of Windows Server receive patches. In place of patches, admins for older Windows products such as Windows 10 and Server 2019 receive another implicit reminder that Microsoft would strongly prefer that everyone upgrade.

Remote Access Connection Manager: zero-day EoP

Local elevation of privilege (EoP) is always attractive to an attacker, since even if it doesn’t get them where they need to be, it can provide an important link in the chain. Microsoft is already aware of exploitation in the wild for CVE-2025-59230, a vulnerability in the Windows Remote Access Connection Manager. With no user interaction required, this will go straight into an attacker’s standard toolkit.

VIEW ALL

There’s very little information in the advisory itself, but someone out there knows exactly how to exploit this vulnerability. Credit where credit is due: Microsoft detected the exploitation, and now we have patches for all supported versions of Windows.

Agere fax modem driver: pair of zero-day EoP

Are you a doctor, a lawyer, or a hipster? If so, you might be one of the holdouts who still feels the need to connect a fax machine to a computer, and you should brace yourself for some bad news, then some good news, and then some more bad news.

For starters, Microsoft has published two zero-day vulnerabilities in the Agere Modem driver: CVE-2025-24052, which is publicly disclosed, and CVE-2025-24990, which has already been exploited in the wild. The vulnerable driver ships with every version of Windows, up to and including Server 2025. Maybe your fax modem uses a different chipset, and so you don’t need the Agere driver? Perhaps you’ve simply discovered email? Tough luck. Your PC is still vulnerable, and a local attacker with a minimally privileged account can elevate to administrator.

The good news is that Microsoft is patching both of these vulnerabilities today. The sting in the tail is that they’re fixing the glitch by removing the vulnerable driver altogether, so if you are still using a fax modem with an Agere chipset, no fax for you!

IGEL OS: UEFI zero-day

If you don’t run thin clients targeting Windows environments, you might be unaware of the existence of IGEL OS, but today’s publication of the advisory for CVE-2025-47827 – which is a zero-day vulnerability – may put it on the radar a little more widely. Successful exploitation abuses overly lax cryptographic verification of the root filesystem, and allows bypass of Secure Boot. Microsoft is aware of exploitation in the wild, and is offering patches for the usual array of Windows products.

The advisory doesn’t explain what the Windows patches are protecting against when the flaw is in IGEL OS itself. However, the write-up by the original discoverer contains a significant amount of interesting backstory, and we can infer that the Windows patches will include additions to the UEFI revocation list, theoretically rendering a specific asset immune to this attack.

AMD: zero-day information disclosure

Every so often, a processor vulnerability gets some attention. When they are included in a set of Patch Tuesday vulns, processor vulnerabilities tend to march to the beat of their own drummer, since Microsoft likely has very little control over how or when these are announced.

AMD published CVE-2025-0033 yesterday, and Microsoft has responded with its own advisory today. The flaw affects only fairly recent AMD EPYC processors, which are more likely to be found in a cloud data centre than they are in a metal box underneath your desk.

This is technically a zero-day vulnerability, since Microsoft is acknowledging that at least some products are affected, and there’s no patch yet. Specifically, Microsoft acknowledges that patches are needed for several variants of Azure Confidential Compute VM, and that they are working towards providing those patches.

There isn’t anything much to do here yet from a Windows administration perspective, since AMD’s advisory understandably addresses only the underlying hardware, and Microsoft hasn’t said anything yet about any possible impact on Windows itself.

Windows Server Update Service: critical pre-auth RCE

The Windows Server Update Service (WSUS) provides admins with some very handy features. You can download updates from Microsoft once and then redistribute them locally. It also allows scheduling of deployments to minimise impact on business activities, as well as centralised monitoring of updates. What’s not to love, right?

Answer: CVE-2025-59287, a critical RCE which allows an attacker to execute code remotely. Although Microsoft isn’t currently claiming knowledge of disclosure or exploitation in the wild, they do consider exploitation more likely. Although the advisory doesn’t explicitly mark this one out as a pre-authentication RCE, the CVSS v3 base score of 9.8 tells an alarming story: a network attack vector, no privileges required, and low attack complexity. Patches are available for all versions of Windows Server.

Taking all that into account, along with the Acknowledgements section of the advisory, a good time to apply these patches is right meow.

Microsoft lifecycle update

Today marks the end of an era, sort of. As Rapid7 has previously noted, today marks the end of support for non-LTSC versions of Windows 10. Of course, there’s a lot of nuance here.

First, let’s address Windows 10 Long Term Support Channel (LTSC) installations, which are Microsoft’s way of providing risk-averse enterprise customers with the same exact OS almost indefinitely. An LTSC installation never has to worry about huge feature updates, but instead receives only security patches.

All versions of Windows 10 LTSC will continue to receive security updates for quite some time, with the exception of Windows 10 Enterprise LTSC 2015, which is now too old even for Microsoft to support. Still, that’s been an extra eight and a half years of security updates compared to the equivalent non-LTSC version of Windows 10. When you’re relying on Windows 10 for the safe operation of an MRI scanner or a critical industrial control system at a steel plant, stability is key.

A frank discussion of whether or not Windows is the optimal choice in these scenarios is beyond the scope of this analysis. Regular LTSC runs until 2027, whereas IoT Enterprise LTSC 2021 is scheduled to limp onwards all the way until January 2032.

It’s likely that Microsoft’s Extended Security Update (ESU) offering will be much more widely discussed in the coming weeks than is typical. Through the ESU program, Microsoft provides additional security updates for software that has passed its end-of-support date. It is generally a paid “cash for updates” service, although consumers in the European Union can take advantage of Microsoft’s offer of one free year of ESU for Windows 10 Home or Professional.

It may well be a coincidence that Microsoft has extended this generous offer only to consumers in a large jurisdiction with strong consumer rights. Users without spare cash or an EU home address can consider syncing their PC settings to OneDrive – make sure to enable multi-factor authentication on your Microsoft account if you do this – or spending 1,000 Microsoft Rewards points, if you know what those are and have some to spare.

Microsoft, of course, has been pushing us all to upgrade to Windows 11 for a long time, but this leaves some people out in the cold. Windows 10 users without the cash to upgrade to Windows 11-compatible PC hardware or the IT situational awareness to realise that they are now at increased risk of compromise will now drift further and further away from a solid security stance.

Not for the first time, the most vulnerable users with the fewest resources will end up in the most precarious situation.

Also receiving their final guaranteed patches today: Office 2016 and Office 2019. Another significant change: both Exchange 2016 and Exchange 2019 are now entirely replaced by Exchange Server Subscription Edition.

A huge amount of lifecycle change today, and one which Microsoft has been building towards for many years now. The full impact may not become clear for a while, especially with the retirement of Windows 10.