Patch Tuesday October 2025 Updates – Vulnerability Digest from Action1
This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
For even more information, join our next Patch Tuesday webinar and visit our Patch Tuesday Watch page.
Microsoft Vulnerabilities
October is Cybersecurity Awareness Month, a great opportunity to revisit patching priorities and legacy OS plans. It’s also a milestone moment: Microsoft is releasing the final regular update for Windows 10. From now on, only customers enrolled in the Extended Security Updates (ESU) program will continue receiving patches.
To help IT teams prepare for the post–Windows 10 era, we’ve published an on-demand webinar, “Windows 10 Endgame: The Final Patch”.
Fittingly for Cybersecurity Awareness Month, this Patch Tuesday sets a new record for 2025, with Microsoft addressing 173 vulnerabilities—far more than in recent months. Nine are rated critical, and six are zero-days: three already exploited and three with publicly available proof of concept (PoC). Below are highlights of the most important critical updates.
CVE-2025-59230: Windows Remote Access Connection Manager elevation of privilege vulnerability
The first zero-day is an elevation of privilege flaw in the Windows Remote Access Connection Manager (RACMAN) service, which manages VPN and remote access connections. Improper access controls (CWE-284) allow an authenticated user with low privileges to escalate to SYSTEM.
The issue appears to stem from how the RACMAN service validates and processes commands from lower-privileged users, failing to properly check authorization before executing privileged operations.
Key metrics
- Attack vector: Local (AV:L)
- Attack complexity: Low (AC:L)
- Privileges required: Low (PR:L)
- Base score: 7.8 (High)
- Temporal score: 7.2 (High)
Exploitation status
- In the wild: Yes, exploitation has been detected.
- Proof of concept: A functional exploit exists, though it may not be publicly available.
Affected systems
- Windows 10 and Windows 11 workstations
- Windows Server 2016, 2019, and 2022
Why this is dangerous
1. SYSTEM privileges grant full control of the compromised system.
2. The vulnerability can be used in attack chains to:
- Escalate privileges after initial access through phishing or other entry vectors
- Establish persistence following other exploits
- Bypass User Account Control (UAC)
- Support more advanced attacks against domain controllers when combined with lateral movement
3. Low exploitation complexity makes it accessible to threat actors with moderate skills.
Enterprise risk factors
Many organizations remain at risk, as remote access services are widely enabled and Windows still dominates enterprise environments. Active exploitation increases the urgency to patch quickly. For large environments or those with slower patch cycles, exposure may continue even after fixes are released.
What makes this zero-day particularly attractive to attackers is its reliability and the high-value outcome—consistent SYSTEM-level access without complex prerequisites.
CVE-2025-24990: Windows Agere Modem Driver elevation of privilege vulnerability
Another zero-day affects the Agere Modem driver (ltmdm64.sys), which ships natively with Windows operating systems. The vulnerability is an Untrusted Pointer Dereference (CWE-822), occurring when the driver fails to properly validate user-supplied pointers before dereferencing them in kernel mode. This flaw allows attackers to manipulate memory structures with kernel-level privileges.
The issue is especially concerning because it exists in legacy hardware support code still installed by default on Windows systems, even when the associated hardware is absent or unused.
Key metrics
- Attack vector: Local (AV:L)
- Attack complexity: Low (AC:L)
- Privileges required: Low (PR:L)
- Base score: 7.8 (High)
- Temporal score: 7.2 (High)
Exploitation status
- In the wild: Yes, active exploitation detected
- Proof of concept: A working exploit exists
- Public disclosure: None prior to the security bulletin
Affected systems
- All supported Windows desktop and server versions
- Systems with or without Agere modem hardware
Why this is dangerous
1. Because the vulnerability operates in kernel mode, attackers can gain the highest level of privileges, enabling:
- Full system compromise
- Access to protected system resources
- Disabling of security controls
- Installation of persistent backdoors
2. In advanced attack chains, it could be used to:
- Escape application sandboxes
- Maintain persistence after initial compromise
- Deploy additional malware with system privileges
- Move laterally within enterprise networks
- Tamper with security tools on the affected system
3. The risk is amplified because:
- Exploitation does not depend on the presence of the actual hardware
- Microsoft chose to remove the vulnerable driver entirely instead of patching it
- The exploitation complexity is low
Enterprise impact
The potential exposure is extensive, with the vulnerable driver present by default across most Windows installations. Organizations with legacy systems relying on Agere modem hardware face an added challenge, as the hardware will no longer function after the October cumulative update.
Active exploitation confirms that threat actors are already using this zero-day. Microsoft’s decision to remove the driver rather than patch it suggests that the flaw is deeply rooted in its design and cannot be fixed without breaking functionality. This elevates both the security and operational risks for affected environments.
CVE-2025-24052: Windows Agere Modem Driver elevation of privilege vulnerability
This zero-day affects the Agere Modem driver (ltmdm64.sys), which ships by default with Windows. It is a stack-based buffer overflow (CWE-121) caused by improper validation of input buffer sizes before copying data to a fixed-size stack buffer. The resulting memory corruption can lead to kernel-level code execution and privilege escalation.
The flaw resides in legacy driver code that remains installed on modern systems even when the corresponding hardware is not present. That increases exposure across many devices.
Key metrics
- Attack vector: Local (AV:L)
- Attack complexity: Low (AC:L)
- Privileges required: Low (PR:L)
- Base score: 7.8 (High)
- Temporal score: 7.0 (High)
Exploitation status
- In the wild: No confirmed exploitation detected
- Proof of concept: A PoC exists, though it may not be fully weaponized
- Public disclosure: Yes, the vulnerability has been publicly disclosed
Affected systems
- All supported Windows desktop versions (Windows 10, Windows 11)
- All supported Windows Server versions
- Systems with or without physical Agere modem hardware
Why this is serious
- As a kernel-mode flaw, successful exploitation can execute arbitrary code at the highest privilege level, enabling full system compromise and persistence.
- In complex attack chains, it can be used for post-compromise privilege escalation, sandbox escape, lateral movement, and to undermine security tools that rely on kernel components.
- The stack-based overflow can allow execution of shellcode, corruption of kernel data structures, and control of program flow.
Operational impact
Microsoft has removed the driver rather than patching it, which removes the vulnerability but creates compatibility problems for organizations that still rely on Agere modem hardware. Microsoft’s “Exploitation More Likely” assessment, together with public disclosure and an available PoC, means the window for weaponization is narrowing even though no active exploitation has been confirmed.
CVE-2025-0033: AMD RMP corruption during SNP initialization
Another zero-day disclosed the day before Patch Tuesday is a critical vulnerability in AMD EPYC processors implementing Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP) technology. The flaw stems from a race condition during initialization of the Reverse Map Table (RMP), a key SEV-SNP structure that tracks ownership and permissions of physical memory pages.
During the SNP initialization process, there is a timing window where RMP entries are configured but not yet locked. A privileged attacker could exploit this gap to modify RMP entries, potentially allowing a compromised hypervisor to alter the security attributes of memory pages assigned to confidential virtual machines (VMs), undermining SEV-SNP’s security guarantees.
Key metrics
- Attack vector: Local (AV:L)
- Attack complexity: Low (AC:L)
- Privileges required: High (PR:H)
- Base score: 8.2 (High)
- Temporal score: 7.1 (High)
Exploitation status
- In the wild: No known exploitation
- Proof of concept: No public exploit available (Exploit Code Maturity: Unproven)
- Public disclosure: Yes, disclosed by AMD on October 13, 2025
Affected systems
- AMD EPYC processors with SEV-SNP capability
- Virtualization environments using AMD SEV-SNP for confidential computing
- Cloud platforms offering AMD-based confidential computing services
- On-premises private clouds running SEV-SNP-enabled hardware
Why this matters
1. The vulnerability undermines the core security boundaries of confidential computing by:
- Breaking hardware-enforced isolation between hypervisor and guest VMs
- Allowing modification of protected VM memory
- Potentially affecting attestation mechanisms in SEV-SNP environments
2. In advanced attacks, it could enable:
- Circumvention of SEV-SNP encryption and isolation protections
- Manipulation of memory contents in confidential VMs
- Injection of malicious code into protected workloads
- Facilitation of side-channel attacks
3. It could also combine with:
- Hypervisor privilege escalation flaws
- Other AMD processor vulnerabilities
- Supply chain attacks targeting confidential computing infrastructure
Impact and risk
Only a small number of organizations operate SEV-SNP-enabled systems, typically large cloud providers, government entities, financial institutions, and healthcare organizations handling highly sensitive data. Exploitation is limited by the need for hypervisor-level access and deep technical knowledge of SEV-SNP.
Major cloud providers like Microsoft Azure mitigate this risk through strict administrative controls, layered defenses, and continuous integrity monitoring. While the vulnerability is serious, practical exploitation is unlikely for most environments. However, in targeted attacks against high-value confidential computing systems, it remains a significant concern requiring prompt patching once updates are available.
CVE-2025-59287: Windows Server Update Service (WSUS) remote code execution vulnerability
This is a critical vulnerability in Windows Server Update Services (WSUS), a core part of Microsoft’s enterprise patching infrastructure. It is a deserialization of untrusted data issue (CWE-502) that allows WSUS to deserialize attacker-controlled objects without adequate validation, which can lead to remote code execution in the context of the WSUS service.
The root cause appears to be an unsafe legacy serialization mechanism that processes incoming network events. WSUS fails to validate object types before deserialization, letting an attacker supply malicious serialized objects that execute code when deserialized. The service typically runs with SYSTEM privileges, so successful exploitation can run code with high privileges.
Key metrics
- Attack vector: Network (AV:N)
- Attack complexity: Low (AC:L)
- Privileges required: None (PR:N)
- Base score: 9.8 (Critical)
- Temporal score: 8.5 (High)
Exploitation status
- In the wild: No known exploitation at time of disclosure
- Proof of concept: No public exploit available (Exploit Code Maturity: Unproven)
- Public disclosure: No public disclosure prior to patch release
Affected systems
- Windows servers running WSUS
- Systems configured as WSUS servers in enterprise environments
- All supported Windows Server versions with the WSUS role installed
- Both dedicated WSUS servers and multi-purpose servers running WSUS
Why this is dangerous
- WSUS normally runs with SYSTEM privileges, so exploitation grants the attacker the highest local privileges.
- WSUS servers usually have network connectivity to many endpoints, and may be internet-accessible if misconfigured.
- Successful exploitation could allow an attacker to deploy malicious updates to managed systems, enabling widespread compromise and persistent backdoors.
- As part of an attack chain, it could be combined with other infrastructure vulnerabilities or supply chain techniques to amplify impact.
Enterprise impact
- Many medium to large enterprises rely on WSUS for patch management; some estimates put usage at 70 to 80 percent in those segments.
- Organizations with multiple WSUS servers or segmented networks face increased exposure.
- Critical infrastructure, government, financial, and healthcare environments commonly use WSUS, increasing the potential for severe consequences.
- Recovery from a compromise of update infrastructure may require rebuilding trust across the environment and restoring the update pipeline.
Microsoft’s “Exploitation More Likely” assessment, together with the remote, unauthenticated attack vector and low complexity, make this a high-priority issue for affected organizations.
Google Chrome
Google has released emergency updates to fix six Chrome vulnerabilities, including a zero-day, the sixth such flaw exploited this year. The other patched issues are CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, and CVE-2025-6558.
The zero-day (CVE-2025-1058) stems from a type confusion bug in the V8 JavaScript and WebAssembly engine, reported by Google’s Threat Analysis Group (TAG) on September 16, 2025. Type confusion is a memory safety issue that can lead to crashes or remote code execution. Attackers can exploit it through malicious HTML pages that trigger arbitrary read or write operations in V8. Since TAG reported the flaw, it may have been used by spyware vendors or advanced threat actors.
The update also addresses a heap buffer overflow in the ANGLE graphics engine (CVE-2025-10502), reported by Big Sleep AI. Google noted that this researcher often identifies defects already known to attackers.
Google released versions 140.0.7339.185 and 140.0.7339.186 for Windows and macOS, and 140.0.7339.185 for Linux. These updates are being rolled out to the stable channel over the coming weeks.
Figma
Imperva researchers disclosed a now-patched command injection flaw in the figma-developer-mcp Model Context Protocol (MCP) server that allowed arbitrary code execution. Tracked as CVE-2025-53967 (CVSS 7.5), the issue resulted from improper neutralization of input passed to child_process.exec, enabling attackers to inject system commands.
The vulnerability resided in src/utils/fetch-with-retry.ts, where the retry mechanism used to resend traffic to a Figma API endpoint fell back to a curl command executed via child_process.exec when Fetch failed. Because URL and header values were inserted directly into the shell command, a crafted URL or header could inject arbitrary code.
The flaw was patched in figma-developer-mcp version 0.6.3, released on September 29, 2025. Imperva recommends avoiding child_process.exec with untrusted input and using child_process.execFile instead.
Unity
A vulnerability tracked as CVE-2025-59489 (CVSS 8.4) was found in the Unity game engine and may affect applications built with Unity 2017.1 and newer on Android, Windows, macOS, and Linux. There is no evidence that iOS, consoles, UWP, Quest, or WebGL builds are impacted.
The flaw can lead to arbitrary code execution or data exposure during game launch. Unity Runtime processes specific launch parameters and debug commands such as -xrsdk-pre-init-library, -dataFolder, and overrideMonoSearchPath. If a malicious library is specified in these parameters, it may be loaded and executed with the game’s permissions, potentially bypassing security controls.
Unity advises rebuilding projects with updated Unity Editor versions or using the Unity Application Patcher for existing builds. Valve has updated the Steam client to block malicious launch parameters, and Microsoft has released Defender signatures. No Linux patcher is available.
The vulnerability was discovered by RyotaK of GMO Flatt Security in May 2025 and dates back more than eight years. As of publication, no exploitation in the wild has been reported.
Cisco
Cisco has released updates to address a critical zero-day vulnerability in Cisco IOS and IOS XE software that is currently being actively exploited. Tracked as CVE-2025-20352, the flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, affecting all devices with SNMP enabled.
Authenticated remote attackers with low privileges can exploit the flaw to cause a Denial-of-Service (DoS) condition, while those with higher privileges can execute code as the root user, gaining full control of affected systems. Exploitation involves sending specially crafted SNMP packets over IPv4 or IPv6. Cisco confirmed that exploitation was detected after attackers obtained local administrator credentials.
Cisco strongly recommends updating to a patched version. There are no workarounds other than applying the available fixes. For temporary mitigation, administrators can restrict SNMP access to trusted users only.
Alongside this zero-day, Cisco patched 13 additional vulnerabilities, including two with publicly available Proof-of-Concept exploits.
- CVE-2025-20240: a Cross-Site Scripting (XSS) flaw in IOS XE that could allow unauthenticated attackers to steal cookies.
- CVE-2025-20149: a DoS issue enabling local authenticated attackers to reboot affected devices.
Cisco also fixed a third critical bug (CVE-2025-20363) in ASA/FTD firewalls and Cisco IOS, which could let unauthenticated attackers execute arbitrary code remotely.
Nearly 50,000 Cisco ASA and Firewall Threat Defense (FTD) devices exposed to the internet remain vulnerable to two actively exploited flaws: CVE-2025-20333 and CVE-2025-20362. Both allow arbitrary code execution and unauthorized access to restricted VPN URLs. Cisco confirmed that attacks began before patches were released.
No workarounds exist, but administrators can limit exposure by restricting VPN web interface access and monitoring for unusual VPN logins and HTTP requests. The Shadowserver Foundation reported over 48,800 vulnerable ASA and FTD instances accessible online as of September 29, highlighting limited patch adoption and a growing large-scale attack campaign.
Earlier, GreyNoise warned about scanning activity targeting Cisco ASA devices in late August, which often precedes exploitation of undocumented vulnerabilities—precisely what occurred here. The UK’s National Cyber Security Centre (NCSC) reported that attackers deployed Line Viper shellcode loader malware followed by a RayInitiator GRUB bootkit.
Given that active exploitation has been ongoing for over a week, administrators are strongly urged to apply Cisco’s guidance for CVE-2025-20333 and CVE-2025-20362 immediately.
Oracle
Oracle has identified and patched two critical vulnerabilities in the E-Business Suite (EBS) platform, one of which was actively exploited in Clop ransomware attacks focused on data theft.
The first flaw, CVE-2025-61882, is a zero-day in the Oracle Concurrent Processing component (BI Publisher Integration). It has a CVSS score of 9.8, allows unauthenticated remote code execution, and is simple to exploit. The issue affects EBS versions 12.2.3 through 12.2.14. Oracle released an out-of-band update, noting that customers must first install the October 2023 critical patch before applying the fix.
Mandiant confirmed that Clop used this vulnerability in August 2025 to steal data from multiple organizations. The group combined CVE-2025-61882 with older Oracle EBS flaws patched in July 2025. Victims received ransom emails claiming data exfiltration from compromised EBS systems, and Clop later acknowledged using a zero-day in Oracle. Oracle initially linked the campaign to previously patched vulnerabilities but later confirmed the new zero-day.
Around the same time, a group calling itself “Scattered Lapsus$ Hunters” posted two files on Telegram allegedly tied to the attacks: GIFT_FROM_CL0P.7z, which contains Oracle source code related to support.oracle.com, and ORACLE_EBS_NDAY_EXPLOIT_POC_SCATTERED_LAPSUS_RETARD_CL0P_HUNTERS.zip, described as an EBS exploit used by Clop and matching Oracle’s IOCs. The connection between these groups remains unclear.
Shortly afterward, Oracle released another emergency security update for a separate vulnerability, CVE-2025-61884, affecting the Runtime UI component of EBS versions 12.2.3–12.2.14. The flaw, rated CVSS 7.5, allows unauthenticated attackers to access sensitive information remotely.
Oracle issued this patch roughly two weeks after Clop’s ransom campaign. CrowdStrike reported that Clop had been exploiting CVE-2025-61882 as a zero-day since early August, warning that other threat groups might have joined the attacks. watchTowr Labs added that CVE-2025-61882 represents a chain of vulnerabilities enabling unauthenticated remote code execution, referencing a proof-of-concept leaked in May 2025 by the Scattered Lapsus$ Hunters group.
Oracle has not indicated that CVE-2025-61884 has been exploited in the wild, but given ongoing attacks against internet-facing EBS instances, administrators are strongly advised to apply the out-of-band patch without delay.
OpenSSL
OpenSSL released new versions of its SSL/TLS toolkit with fixes for issues that could enable private key recovery, code execution, or denial of service. Updated versions are 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm, and 1.1.1zd, addressing CVE-2025-9230, CVE-2025-9231, and CVE-2025-9232.
CVE-2025-9231 could allow private key recovery. It affects the SM2 implementation on 64-bit ARM platforms. OpenSSL does not natively support SM2 certificates in TLS, so most TLS deployments are not affected, but a custom provider could introduce exposure through remote timing attacks. The issue is rated medium.
CVE-2025-9230 is a read/write out-of-bounds flaw that could allow code execution or denial of service and is also rated medium. The third vulnerability is rated low and could trigger a crash leading to denial of service.
Apple
Apple released iOS 26 and macOS Tahoe 26, fixing more than 50 vulnerabilities, including one exploited on older platforms. iOS 26 and iPadOS 26 address 27 CVEs tied to memory corruption, information disclosure, denial of service, and sandbox escapes.
WebKit received the most fixes (five), covering issues that could cause crashes, Safari instability, or unauthorized sensor access. Other updated components include Apple Neural Engine, Bluetooth, CoreAudio, CoreMedia, Kernel, Safari, Sandbox, Siri, and several more.
macOS Tahoe 26 patches 38 CVEs, 11 of which overlap with iOS and iPadOS. The most affected components include WebKit (five fixes), AppleMobileFileIntegrity and SharedFileList (four each), and Bluetooth and Sandbox (three each). Additional updates cover AppKit, AppSandbox, ATS, CoreMedia, CoreServices, FaceTime, Foundation, GPU Driver, ImageIO, Notification Center, RemoteViewServices, Security Initialization, Spotlight, and StorageKit.
Apple also released iOS 18.7 and iPadOS 18.7 with fixes for 12 vulnerabilities, as well as iOS 16.7.12, iPadOS 16.7.12, iOS 15.8.5, and iPadOS 15.8.5 with patches for CVE-2025-43300, an ImageIO vulnerability exploited in attacks against WhatsApp users. Initial fixes for this bug were provided on August 20. Substantial updates also arrived for macOS Sequoia 15.7 and macOS Sonoma 14.8. tvOS 26, watchOS 26, and visionOS 26 include nearly two dozen fixes each. Safari 26 received seven patches, and Xcode 26 fixed five issues. Aside from CVE-2025-43300, Apple did not report in-the-wild exploitation.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both OS and third-party software.
